CS 361S - Network Security and Privacy Spring Project #1

Similar documents
CS 361S - Network Security and Privacy Spring Project #2

CS Programming Languages Fall Homework #2

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

CS 361S - Network Security and Privacy Spring Project #2

Web Application Security. Philippe Bogaerts

Assignment 6: Web Security

CS 361S - Network Security and Privacy Spring Homework #1

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

CS 161 Computer Security

CSCE 813 Internet Security Case Study II: XSS

CS 361S - Network Security and Privacy Spring Homework #2

Project 2: Web Security

CIS 4360 Secure Computer Systems XSS

CS155: Computer Security Spring Project #1

Computer Security Coursework Exercise CW1 Web Server and Application Security

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Jackson State University Department of Computer Science CSC / Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

NET 311 INFORMATION SECURITY

CS 161 Computer Security

P2_L12 Web Security Page 1

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

CS 155 Project 2. Overview & Part A

Solution of Exercise Sheet 5

Robust Defenses for Cross-Site Request Forgery Review

CS 161 Computer Security

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application vulnerabilities and defences

Introduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm

Creating an Adobe Connect Presentation: Using Your Personal Computer to Record and Publish

XSS Homework. 1 Overview. 2 Lab Environment

CyberP3i Hands-on Lab Series

CS4264 Programming Assignment 3 Principles of Computer Security Due 4/11/2018, 5PM EST.

WebGoat Lab session overview

Your Turn to Hack the OWASP Top 10!

3. Apache Server Vulnerability Identification and Analysis

Security Course. WebGoat Lab sessions

Configuring User Defined Patterns

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CS 361S - Network Security and Privacy Spring Homework #3

CS Homework 4 p. 1. CS Homework 4

SQL Injection Attack Lab

Jackson State University Department of Computer Science CSC 437/539 Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CS 161 Computer Security

SAM Server Utility User s Guide

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Basic Web Application Development Spring credit hour Student Taught (Satisfactory/Unsatisfactory)

MP 1: HTTP Client + Server Due: Friday, Feb 9th, 11:59pm

CSC4370/6370 Spring/2010 Project 1 Weight: 40% of the final grade for undergraduates, 20% for graduates. Due: May/8th

Wholesale Lockbox User Guide

CS 161 Computer Security

CS 161 Computer Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web


How to Use This Lab Manual

Robust Defenses for Cross-Site Request Forgery

CS Final Exam Review Suggestions - Spring 2018

CSCE 548 Building Secure Software SQL Injection Attack

Checklist for Testing of Web Application

American Public Health Association s Affiliate Online Community User s Guide. October 2015 edition

COMP9321 Web Application Engineering

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

CS 1520 / CoE 1520: Programming Languages for Web Applications (Spring 2013) Department of Computer Science, University of Pittsburgh

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

FIREFOX MENU REFERENCE This menu reference is available in a prettier format at

Lab 1: Accessing the Linux Operating System Spring 2009

Web Application Attacks

Web Security. Attacks on Servers 11/6/2017 1

Web Application Security

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

SAM Server Utility User s Guide

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CS 344/444 Spring 2008 Project 2 A simple P2P file sharing system April 3, 2008 V0.2

Application Layer Security

Building a Web-based Health Promotion Database

Standard Edition (SE) application development Enterprise Edition (EE) enterprise development Micro Edition (ME) Internet of Things (IoT) development

Network Administration/System Administration (NTU CSIE, Spring 2018) Homework #1. Homework #1

Project 4: ATM Design and Implementation

Penetration Test Report

Assignment pts. Figure 1: Main page, shown when user requests index.php.

San José State University Department of Computer Science CS-174, Server-side Web Programming, Section 2, Spring 2018

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CIS Homework 9

Finding Vulnerabilities in Web Applications

Sichere Software vom Java-Entwickler

Gradekeeper Version 5.7

CS Homework 7 p. 1. CS Homework 7. Problem 1 - START THIS A.S.A.P. (in case there are PROBLEMS...)

Homework 5: Exam Review

HOW TO: Download and Play your WMA Audio Books

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

cs642 /introduction computer security adam everspaugh

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CSC 3300 Homework 3 Security & Languages

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Transcription:

CS 361S - Network Security and Privacy Spring 2014 Project #1 Due: 11:00am CST, February 27, 2014 Submission instructions Follow the instructions in the project description. If you are submitting late, please indicate how many late days you are using. Collaboration policy This assignment can be done individually or in two-person teams. Any cheating (e.g., submitting another person s work as your own, or permitting your work to be copied) will automatically result in a failing grade. The Computer Science department code of conduct can be found at http://www.cs.utexas.edu/undergraduate-program/code-conduct. Late submission policy This project is due at the beginning of class on February 27. All late submissions will be subject to the following policy. You start the semester with a credit of 3 late days. For the purpose of counting late days, a day is 24 hours starting at 2pm on the assignment s due date. Partial days are rounded up to the next full day. You are free to divide your late days among the take-home assignments (3 homeworks and 2 projects) any way you want: submit three assignments 1 day late, submit one assignment 3 days late, etc. After your 3 days are used up, no late submissions will be accepted and you will automatically receive 0 points for each late assignment. 1

Project #1 (50 points + 7 bonus points) The objective of this project is to give you hands-on experience implementing attacks against vulnerable Web applications. You will do this project on a virtual machine using VMware Player. You will need: The VMware Player: http://www.vmware.com/products/player/ The project image: http://www.cs.utexas.edu/~shmat/courses/cs361s/cs361s-proj1.tgz Getting Started 1. Download both the VMware Player and the project tarball. Uncompress the tarball and run the vm with VMware Player. 2. If VMware Player asks whether you moved or copied the image, say that you copied it. 3. The machine has two accounts: root/root and user/user. You will do your work as user, but feel free to explore as root. The vm is configured to use NAT for networking. From the vm, you can type ifconfig as root to see the IP address of the vm. It should be listed in the field inet addr: under eth0. The vm also has an SSH server. You can SSH into the vm from your machine, using the IP address produced by ifconfig (see above) as the destination. You can also use this to transfer files into the vm using scp. Alternatively, inside the vm, you can fetch files directly from the Web using wget. Some attacks will require an email to be sent to user on the system. You will need a server-side script to automatically email information captured by your client-side JavaScript. We have provided this script for you at http://hackmail.org/sendmail.php (open this URL from within the vm for more instructions) and use that URL in your attack scripts to send emails. Any mail the user receives will appear in /var/mail/user. Interacting with the vm Using SSHFS / X Tunneling (recommended) Probably the least painful way to interact with the vm is through local networking. 1. Install the sshfs package on your host machine and create an empty netfs directory. 2

2. Run sshfs root@[vm IP address]:/ netfs and enter the vm s root password. You can now access the vm s filesystem via the netfs directory with your host machine s applications. 3. Log in to the vm via ssh -Y user@[vm IP address]. You can now run graphical applications such as iceweasel within the vm. Good old-fashioned logging in (slow and annoying) If you re determined to do this the painful way and interact with the VMware Player window: 1. You may find it beneficial to install vmware-tools in the vm. VMware Player will prompt you about this. 2. Go into the desktop environment with startx. 3. To start a Web browser, type iceweasel &. 4. You can change the display resolution in the virtual machine with xrandr, e.g.: xrandr -s 19 5. If you want to install other packages / a friendlier desktop environment, you can use apt-get. UT Payroll UT Payroll is all about making sure people get paid while doing the least amount of work possible. To that end, they ve created a Web application that lets you set up your direct deposit information, replacing the six hardcopy forms they had previously. Because they find themselves frequently looking up the name attached to a UT EID, they have included that functionality as well. The UT Payroll server is located at this URL (accessible only from within the vm): http://payroll.utexas.edu You can create a new account by registering on the main page. You can then save your account number and routing number (this should be obvious, but please please please do not save your actual banking information, or use your actual UT Direct password when registering). You can view any registered user s name by looking up their UT EID on the right. The source code of the Payroll website is available within the vm in /var/payroll/www 3

Attack #1: Cross-site request forgery (10 points + 2 bonus points) Create a malicious HTML page that should work as follows. Suppose the victim has logged into the UT Payroll server, and, while still logged in, visits your HTML page. Your page should overwrite the victim s account number and routing number stored on the UT Payroll server with your own values: 3133731337 and 1000000001 respectively. Important: The victim should be redirected to the UT Payroll website immediately. In particular, he should not see the URL or the content of the malicious HTML page. (It is Ok if the browser displays your malicious page for a fraction of a second before it finishes fetching the UT Payroll page.) Bonus (2 points) Instead of redirecting the victim as described in the previous paragraph, make the attack transparent to the victim. In this case, the victim should see only the URL and content of your malicious HTML page. For example, the victim is browsing his favorite forum and sees your link promising a cute picture of a kitten. He clicks your link, sees the kitten, nods appreciatively, then closes the tab, unaware that his data at UT Payroll has been modified. Attack #2: Cookie theft (15 points + 5 bonus points) A user named victim has logged into the UT Payroll server. Create a URL that looks like this (with EVILMAGIC replaced by your exploit): http://payroll.utexas.edu/account.php?eid=evilmagic When the logged in victim visits this URL, the victim s UT Payroll cookie should get sent by email to user. The user should notice no difference in the behavior or appearance of the web page compared to simply typing a username into the text box on http://payroll.utexas.edu/ account.php and hitting Enter. The source of the page can be arbitrarily different, but it should look and feel exactly the same. Important: While you can technically satisfy the wording of the problem by redirecting the user to http://payroll.utexas.edu/account.php?eid=victim after stealing the cookie, this is not what we are looking for. You must exploit the way that the username variable is used in the PHP script. In particular, your attack code must: Pull the victim s record from the database using the SQL query on line 30 of account.php (therefore, SQL must not barf on being given a query constructed from the username part of your URL). 4

Result in the correct username (victim) being displayed in the input field on the user page. Thus, when the PHP code spits back the username you gave it on line 100 of account.php, it must somehow render as victim. It should be exactly that string you cannot have more text hidden beyond the whitespace in the input box. Display the user s EID and name in the area below. Your code should also somehow ensure that even though the username you supplied is a long and ugly string, it should render as victim in this part of the page as well. To summarize, you attack should, without redirection, result in a page that looks exactly like the page http://payroll.utexas.edu/account.php?eid=victim The HTML source will be different, and so will the address bar (it will be your malicious URL) but the content of the page should look and behave the same. If you choose to use a client-side script in addition to a malicious URL, you can use your UT webspace or any other webspace available to you (such as http://pastebin.com) to host that script. Tip: You are allowed to hardcode the string victim wherever you want. You cannot, however, hardcode the value of the name; it should be retrieved from the database. You will probably need to understand and exploit the manner in which the value of the name is encoded into the HTML page and how the JavaScript retrieves it. Partial credit: If you are not able to email the cookie, at least display it in a pop-up alert. If you are not able to make the page look exactly the same, make it look approximately the same. At the very least, try to make sure that your URL does not result in the This UT EID is not registered warning. While some point will be given for simply sending the email / alerting the cookie, the majority of the points for this question are for cleaning up the display after the email has been sent. Bonus (5 points) The team with the shortest URL that implements the full attack #2 gets 5 bonus points. Attack #3: Password theft (10 points) Create a malicious HTML page that should work as follows. Assume your victim is not logged in. Upon visiting your page, the victim should be redirected to http://payroll. utexas.edu/. When the victim enters a username and password and hits Log in, an email should be sent to user containing the username and password entered by the victim. Important: Assuming a valid username/password pair was entered, the next page should look as if the victim did indeed log into UT Payroll. 5

Attack#4: SQL injection (15 points) Create an HTML page that the tester will open in his browser. The tester will not be logged in. The HTML page should have a form with a single text field and a submit button (note: the form should not ask the tester for a password). The tester will type a username into the text field and submit the form. You can assume the username submitted by the tester is already associated with a registered account. As a result, the tester should be logged in as the user whose username he submitted. The browser s location bar should be http://payroll.utexas.edu/account.php, and the page should function exactly as if the correct username and password were entered on the real site. Deliverables You will submit your project with turnin. The grader is ojensen and the project name is proj1. Make sure you include a file for each attack: Your malicious HTML page(s) (the entire page, not just the URL) implementing attack #1. Text file with your malicious URL implementing attack #2. Your malicious HTML page implementing attack #3. Your malicious HTML page implementing attack #4. Your submission should also include a file SUBMISSION. The first line should state how many late days were used (if any). Then give the following on a single line, one for each student: your UTEID your UTCS username your real name You may want to include a README file with comments about your experiences or suggestions for improvement. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback