CS 161 Computer SecuritySpring 2010 Paxson/Wagner Project 3Last updated: 04/16/2010 10:21pmDue Thursday, April 29, 11:59pmStockBank is a stock management web application, hosted at http://lilac.cs.berkeley.edu/ ,which allows registered users to post profiles, buy “stocks” and transfer them to each other. Each registereduser starts with a balance of 10, 000 “dollars” to buy stocks with. In this project, your task will be to construct4 different attacks against the StockBank web site.WARNINGYou will be executing real attacks on a real web site served from a real machine. You must limit yourselvesto the attacks assigned, and you must not attempt to execute malicious code (shell code, native code, etc.)on the server. You must not attempt to compromise any of the user accounts on the server or explore itsfile system. All of the attacks you will be executing are attacks on other users of the web application, noton users of the machine hosting the application. Additionally, you must not attempt to DoS the server orprevent other students from working on the project in any way.Getting StartedBegin by exploring the StockBank application hosted at http://lilac.cs.berkeley.edu/ . Next,download and browse through the source code that the server is running. A tarball containing this code canbe found at http://inst.eecs.berkeley.edu/˜cs161/sp10/projects/proj3-code.tgz .Although many real-world attackers do not have the source code for the web sites they are attacking, youare one of the privileged ones.CollaborationYou may work with at most one other person on this project. If you are in need of a partner, please use thenewsgroup to find one.You may not collaborate with any students other than your partner. You may share general information onweb technologies (e.g., JavaScript, HTML, PHP) if it is not specific to the questions on this project, but youmust not share tips, advice, hints, etc. on how to solve any of the questions on this project with anyone otherthan your partner.You and your partner must write up solutions entirely on your own. The two of you may work together tojointly write the solution the two of you will submit, but no one else may help you. You must never reador copy the solutions of any other students, and you must not share your own solutions—not even partialCS 161, Spring 2010, Project 3 1solutions—with students other than your partner.Submissions and GradingLike Projects 1 and 2, all submissions for this project will be electronic. You will submit (7-bit ASCII) textfiles named a.txt and d.txt for parts (a) and (d) respectively. You will submit HTML documents namedb.html and c.html for parts (b) and (c) respectively. The submission system will accept and grade anysubset of these files. You must also include a file named collaborators.txt in your submission,which must contain a whitespace-delimited list of the logins (e.g., “cs161-xy”) of both members of yourgroup. It does not matter which student in the group submits.All questions for this project will be graded completely automatically by a continuously-running autograder.Each iteration of the autograder’s loop will grade (in order of submission time) all the submissions it hasnot yet graded. The loop sleeps between iterations, so you should not expect immediate feedback from theautograder. Unlike in Project 2, you may submit your code for autograding as many times as you like.Feedback from the autograder will come in the form of email to your class account (and to that of yourpartner, if applicable). Instructions on how to retrieve email delivered to this account can be found here:http://inst.eecs.berkeley.edu/connecting.html#email . Timestamps reported by theautograder are in UTC, not local time. You can subtract 7 hours from UTC to get Pacific Daylight Time.Constructing Your AttacksTesting site vs. grading siteWe have set up two copies of the web application, a testing site and a grading site. You will use the testingsite, which is at at http://lilac.cs.berkeley.edu/ . You may freely try out attacks, using thetesting site. In contrast, the autograder will be grading your attacks using the grading site, which is athttp://lilac.cs.berkeley.edu/grading/ . You cannot access the grading site, but the attacksyou submit must be designed to work on the grading site, not the testing site. Your submitted attacks willnot pass the autograder’s tests if they are designed to work against the testing site.Payload recipientSome of the attacks ask you to steal some private information and send it off somewhere. In attack A,you will steal a cookie and send it somewhere, while attack C involves sending a username and passwordsomewhere. In a real attack, you would send these payloads off to yourself so that you would receive thecredentials. In this project, however, you’re going to craft your attack to submit this information to a website.Where should the private information be sent? We have set up a special web page where you can sub-mit this information, so you can see whether your attack is working. During testing, you may submitthe private information to http://lilac.cs.berkeley.edu/log.php . The private informationshould be passed in a query string parameter named payload. For instance, if your attack script hasfound out that the secret password was abc123, then your attack could make an HTTP request to the URLhttp://lilac.cs.berkeley.edu/log.php?payload=abc123 . On the test site (the one youhave access to), the log.php script simply outputs the payload it gets so that you can check that it is whatyou expect it to be. That’s how to test out your attack.CS 161, Spring 2010, Project 3 2Once your attack is working against the test site, you will need to modify it so it will work with the gradingsite. For autograding, your solution needs to submit the private information to a different URL: namely, tohttp://lilac.cs.berkeley.edu/grading/log.php . For example, the attack might make aHTTP request to http://lilac.cs.berkeley.edu/grading/log.php?payload=abc123to demonstrate to the autograding script that you managed to learn the secret value abc123. On the auto-grading site, the payload will be logged to a file that the autograder will use while it is grading your attack.Once you get your attack working against the test site, make sure to change the logging URL to point to thegrading site before submitting your solution for grading.BrowserWe will grade your project with default settings using Mozilla Firefox 3.6.3
View Full Document
Unlocking...