Project 3 Description CS161 Computer Security Fall 2008 Assigned 11 19 2008 Due Date 12 14 2008 1 Web Application Security StockBank is a stock management web application hosted at http sphere cs berkeley edu 8080 which allows registered users to post profiles buy stocks and transfer them to each other Each registered user starts with a balance of 10000 dollars to buy stocks with This project has two parts Part 1 Construct various attacks against StockBank website Part 2 Fix the web application to prevent the attacks you found in part 1 Although many real world attackers do not have the source code for the web sites they are attacking you are one of the privileged ones you have access to the source code You would not actually need to look at the site s source code until Part 2 but it s there if you get stuck The code is available at home ff cs161 proj3 fa08 proj3 code tgz 1 1 Part 1 Attacks You have to perform 4 kinds of attacks on StockBank A Cookie Theft 5 points Your solution is a URL starting with http sphere cs berkeley edu 8080 users php The grader will already be logged in to StockBank before loading your URL in the browser Your goal is to steal the document cookie and email it to the grader using an email script that we provide The function of the email script is described later Except for the browser address bar which can be different the grader should see a page that looks exactly as it normally does when the grader visits users php No changes to the site appearance or extraneous text should be visible Avoiding the red warning text is an important part of this attack It is ok if the page looks weird briefly before correcting itself Hint Here is an example attack as a starting point Place this link in a HTML file open it in a browser and click it a href http sphere cs berkeley edu 8080 users php user 22 3E 3Cscript 3Ealert 28document cookie 29 3B 3C script 3E Example a B Cross site Request Forgery 5 points Your solution is a short HTML document that the grader will open using the web browser The grader will already be logged in to StockBank before loading your page Transfer 10 dollars from the grader s account to the account of a user named attacker The browser should be redirected to http sphere cs berkeley edu 8080 as soon as the transfer is complete so fast the user might not notice The location bar of the browser should not contain sphere cs berkeley edu 8080 at any point C Password Theft 5 points 1 Your solution is a short HTML document that the grader will open using the web browser The grader will not be logged in to StockBank before loading your page Upon loading your document the browser should immediately be redirected to the StockBank web site at http sphere cs berkeley edu 8080 The grader will then enter a username and password and press the Log in button When the Log in button is pressed send the username and password separated by a comma using the email script to the grader The login form should appear perfectly normal to the user No extraneous text e g warnings should be visible and assuming the username and password are correct the login should proceed the same way it always does Hint The site uses the PHP htmlspecialchars function to sanitize the reflected username but something is not quite right D Profile Worm 5 points Your solution is a profile that when viewed transfers 1 dollar from the current user to a user called attacker that s an actual username and replaces the profile of the current user with itself Your malicious profile may include a witty message to the grader optional but it helps us see that it replicated To grade your attack we will cut and paste the submitted profile file into the profile of the attacker user and view that profile using the grader s account We will then view the copied profile with more accounts checking for the transfer and replication The transfer and replication should be reasonably fast under 15 seconds During that time the grader will not click anywhere During the transfer and replication process the browser s location bar should remain showing http sphere cs berkeley edu 8080 users php user username where username is the user whose profile is being viewed The visitor should not see any extra graphical user interface elements e g frames and the user whose profile is being viewed should appear to have 10 dollars You will not be graded on the corner case where the user viewing the profile has no dollars to send Hint The site allows a sanitized subset of HTML in profiles but you can get around it This MySpace vulnerability may provide some inspiration for this attack You can find an online document about this at http www securityfocus com archive 82 430263 30 120 threaded Email script For Attacks A and C you will need a server side script to automatically email information captured by your client side JavaScript code to the reader for grading We have provided this script for you at http sphere cs berkeley edu 8080 sendmail php It explains how you can use it to automatically send email using a hyperlink The code for the sendmail php is also given to you While developing your exploits you can mail the stolen data to your email account to verify if your attacks worked Be sure to have the stolen data sent to the grader when submitting the final exploits Mozilla Firefox We will grade your project with default settings using the latest official release of the Mozilla Firefox browser at the time the project is due We have verified that Firefox 3 03 is a safe choice We chose this browser for grading because it is widely available and can run on a variety of operating systems There are subtle quirks in the way HTML and JavaScript are handled by different browsers and some attacks that work in Internet Explorer for example may not work in Firefox In particular you should use the Mozilla way of adding listeners to events https developer mozilla org En DOM element addEventListener We recommend that you test your code on Firefox before you submit to ensure that you will receive credit for your work 1 1 1 Deliverables and Grading Create files named a txt containing the only the attack URL for part a b html for part b c html for part c and d txt for part d ans submit them electronically as proj3 part1 The web site has lots of 2 other interesting vulnerabilities but you will not receive credit for finding vulnerabilities other than those described above We will run your attacks after wiping clean the database of registered users
View Full Document
Unlocking...