CS 161 Computer Security Spring 2010 Paxson Wagner Project 3 Last updated 04 16 2010 10 21pm Due Thursday April 29 11 59pm StockBank is a stock management web application hosted at http lilac cs berkeley edu which allows registered users to post profiles buy stocks and transfer them to each other Each registered user starts with a balance of 10 000 dollars to buy stocks with In this project your task will be to construct 4 different attacks against the StockBank web site WARNING You will be executing real attacks on a real web site served from a real machine You must limit yourselves to the attacks assigned and you must not attempt to execute malicious code shell code native code etc on the server You must not attempt to compromise any of the user accounts on the server or explore its file system All of the attacks you will be executing are attacks on other users of the web application not on users of the machine hosting the application Additionally you must not attempt to DoS the server or prevent other students from working on the project in any way Getting Started Begin by exploring the StockBank application hosted at http lilac cs berkeley edu Next download and browse through the source code that the server is running A tarball containing this code can be found at http inst eecs berkeley edu cs161 sp10 projects proj3 code tgz Although many real world attackers do not have the source code for the web sites they are attacking you are one of the privileged ones Collaboration You may work with at most one other person on this project If you are in need of a partner please use the newsgroup to find one You may not collaborate with any students other than your partner You may share general information on web technologies e g JavaScript HTML PHP if it is not specific to the questions on this project but you must not share tips advice hints etc on how to solve any of the questions on this project with anyone other than your partner You and your partner must write up solutions entirely on your own The two of you may work together to jointly write the solution the two of you will submit but no one else may help you You must never read or copy the solutions of any other students and you must not share your own solutions not even partial CS 161 Spring 2010 Project 3 1 solutions with students other than your partner Submissions and Grading Like Projects 1 and 2 all submissions for this project will be electronic You will submit 7 bit ASCII text files named a txt and d txt for parts a and d respectively You will submit HTML documents named b html and c html for parts b and c respectively The submission system will accept and grade any subset of these files You must also include a file named collaborators txt in your submission which must contain a whitespace delimited list of the logins e g cs161 xy of both members of your group It does not matter which student in the group submits All questions for this project will be graded completely automatically by a continuously running autograder Each iteration of the autograder s loop will grade in order of submission time all the submissions it has not yet graded The loop sleeps between iterations so you should not expect immediate feedback from the autograder Unlike in Project 2 you may submit your code for autograding as many times as you like Feedback from the autograder will come in the form of email to your class account and to that of your partner if applicable Instructions on how to retrieve email delivered to this account can be found here http inst eecs berkeley edu connecting html email Timestamps reported by the autograder are in UTC not local time You can subtract 7 hours from UTC to get Pacific Daylight Time Constructing Your Attacks Testing site vs grading site We have set up two copies of the web application a testing site and a grading site You will use the testing site which is at at http lilac cs berkeley edu You may freely try out attacks using the testing site In contrast the autograder will be grading your attacks using the grading site which is at http lilac cs berkeley edu grading You cannot access the grading site but the attacks you submit must be designed to work on the grading site not the testing site Your submitted attacks will not pass the autograder s tests if they are designed to work against the testing site Payload recipient Some of the attacks ask you to steal some private information and send it off somewhere In attack A you will steal a cookie and send it somewhere while attack C involves sending a username and password somewhere In a real attack you would send these payloads off to yourself so that you would receive the credentials In this project however you re going to craft your attack to submit this information to a web site Where should the private information be sent We have set up a special web page where you can submit this information so you can see whether your attack is working During testing you may submit the private information to http lilac cs berkeley edu log php The private information should be passed in a query string parameter named payload For instance if your attack script has found out that the secret password was abc123 then your attack could make an HTTP request to the URL http lilac cs berkeley edu log php payload abc123 On the test site the one you have access to the log php script simply outputs the payload it gets so that you can check that it is what you expect it to be That s how to test out your attack CS 161 Spring 2010 Project 3 2 Once your attack is working against the test site you will need to modify it so it will work with the grading site For autograding your solution needs to submit the private information to a different URL namely to http lilac cs berkeley edu grading log php For example the attack might make a HTTP request to http lilac cs berkeley edu grading log php payload abc123 to demonstrate to the autograding script that you managed to learn the secret value abc123 On the autograding site the payload will be logged to a file that the autograder will use while it is grading your attack Once you get your attack working against the test site make sure to change the logging URL to point to the grading site before submitting your solution for grading Browser We will grade your project with default settings using Mozilla Firefox 3 6 3 the latest version as of the date this project was released We chose this browser for grading because it is widely available and can
View Full Document
Unlocking...