Go up to the main DADA homeworks page (md)
There are three parts to this assignment. As part of this assignment, you will have to create a document, called websecurity.pdf, and submit that file. We aren't looking for any fancy write-up - just an explanation of what you did, and the results you got. That being said, it should be legible. So make sure you indicate what answers are for what questions, etc.
Your final report should be a PDF file. It need not be long, but it must answer the questions posed below.
First, you should be familiar with SQL and SQL injection attacks. For review, look at the first half of the SQL & XSS slide set.
View the page at https://libra.cs.virginia.edu/~insecure/sqlinjection.php - note that you will have to log in via Netbadge to view this page. From this page, you will need to execute an SQL injection attack. Note that the only confidential data in that database is the names and userids of the participants, and all of that information is considered "public" knowledge to the participants of the course (FERPA allows release of names; all students in this course are in the UVa LDAP server, and the ID numbers were randomly generated).
Your task is to execute at least two SQL injection attacks using this page. The first is a read-only attack, and from it you must obtain a piece of 'secret' information that is not otherwise displayed from the script. For the second, you must make a modification to your entry in the table. What modification you make is up to you. However, the grade listed in the DB after this assignment is completed will be the grade you receive on this part of the assignment.
In your report, you should list the following:
YOU MAY NOT EXECUTE A DROP TABLE OR TRUNCATE TABLE OR DELETE COMMAND. Doing so is an honor violation. Or any other command that interferes with other students completing their assignment. This includes updating anybody else's grade. I don't want to have to go and repair the database because somebody executed this command.
Honor pledge details: you are given permission to execute an SQL injection attack against particular URL for this assignment, as long as the attack does NOT contain a 'drop table', 'truncate', or 'delete' command, or a command that intentionally interferes with other students completing their assignment, or a command that updates another student's grade.
Lastly, please note that all entries are logged (and are not logged in the DB!). Thus, if the DB is later erased, we can verify that you did (or did not!) properly execute the SQL injection attack.
NOTE: Some modern browsers have anti-XSS capability built in that prevents this type of attack. So if things are working, try a different browser. Chrome, in particular, does not work well with this type of attack, but Firefox is fine.
First, you should be familiar with Javascript and cross-site scripting attacks. For review, look at the second half of the SQL & XSS slide set.
View the page at https://libra.cs.virginia.edu/~insecure/xss.php - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple XSS attacks, described below. Also note that the the account number (which you will need to obtain) is a randomly set number - it is set the first time you access the page, stored in a cookie, and not changed again. But if you try it from a different computer, you will see a separate account number.
There are six XSS attacks that you must do against this page. While it seems like a lot, it's really only three separate XSS attacks, and one of them is exactly from the slide set. So, really, you just have two XSS attacks to perform.
In your report, you should list the following:
A few notes:
\n to represent returns. When submitting it via GET variable (i.e. in the URL), you should enter '%0a' for a return. Note that the conversion script (above) may not convert the returns properly - you may have to do that manuallyHonor pledge details: you are given permission to execute XSS attacks against this particular URL for this assignment.
For this part, we are going to 'listen' to network traffic, and see what interesting information we can find. We will use a UNIX utility called tcpdump. This utility will print out all the network traffic on a given interface. tcpdump must be run as root; thus, you probably cannot run it on any UVa server. You can download the tcpdump.zip file from Collab's resources -- that file is NOT in this repo due to it's size. This file contains a dump of a tcpdump session. We will be analyzing this file.
This file contains my password, so I wanted to ensure that it was properly protected, and I used a 6-character ZIP file password on it. It's your job to crack that password. While you can use any ZIP file password cracker that is out there (and there are lots!), we recommend fcrackzip, which you can install on your Linux VirtualBox image via sudo apt-get install fcrackzip. Note that you will need to understand what it does - just running it with very few parameters will just spew out gibberish to the screen.
A packet sniffing utility would run tcpdump, and parse the contents in real-time. We can do this using something as simple as lex, although more advanced programs (including parsers like yacc or bison) would be more effective. For this assignment, you won't need to write a program, but can instead just search for the data using any text-search mechanism (including opening it up in your favorite editor and searching the data). The data was collected using the following command:
tcpdump -A -l -s 10000 -i eth0The command line switches do the following:
-A causes the packets to be printed in ASCII (as opposed to binary or hex, which are other command-line switches)-s 10000 causes the maximum printed packet to be 10,000 bytes - if not set, it will only print the first 64 bytes of each packet-i eth0 causes it to 'listen' to the first (and, in this case, only) Ethernet connection. If you have multiple network connections, this will allow you to monitor only one. You could set this to listen to the wireless connection, or to all connections.Many of the pages returned by tcpdump are compressed to save network bandwidth. This is particularly relevant for popular sites that send a lot of data, such as Facebook or CNN. You can see this in the packet by the 'Content-Encoding: gzip' header. One can easily write the data to file, reverse the base-64 encoding, and the un-gzip it (and there are programs that do just that). For this assignment, we'll be looking just at the non-compressed data.
You will need to analyze the tcpdump.txt file. Download the tcpdump.zip file from Collab's resources -- that file is NOT in this repo due to it's size. In your report, you need to answer the following questions:
gemini.http-alt (here http-alt means an alternative to http) - see the example packet explanation, below. The http-alt port is 8080 -- you can find this out by looking in /etc/services, which maps port names (such as http-alt) to port numbers. We aren't interested in port numbers above 10,000.A given packet could look like the following.
10:31:35.293018 IP gemini.http-alt > pegasus.58878: Flags [P.], seq 4642:4790, ack 2176, win 80, options [nop,nop,TS val 43850520 ecr 38675081], length 148
E`....@.9.....E..........O.........P.......
.....N".st">
<p>Please enter your UVa userid to obtain your balance: <input type="text" name="userid"
></p>
<input type="submit">
</form>
<hr>
</html>This packet was sent at 10:31:35 from gemini (aka gemini.cs.virginia.edu) to pegasus (my home computer). It was a http connection (the 'http-alt' means the alternative http port that gemini uses) - so it was sending data. In fact, this is the last half of the SQL injection attack web page that you used above in part 2.
The uncompressed tcpdump file is 16 Mb. Thus, it may have problems opening in Notepad. And just doing Notepad-style searches for all the answers to the above questions will not get you very far - you certainly aren't going to be able to find out all the protocols via searching through Notepad for each packet header (some of the questions may be answered via that type of search, though). The UNIX utility grep will be your friend here. Consider the following, which you type from the UNIX command line.
grep gemini tcpdump.txtThis will search the tcpdump.txt file for all occurrences of gemini. While it returns 375 lines, that is still only 8% of the entire length of the tcpdump.txt file. You can also use 'egrep', which allows you to enter a regular expression. Consider the following.
egrep "\[a-z\]\[4\]\[4\]+" tcpdump.txtThis takes in the regular expression [a-z][4][4]+, and searches for all occurrences of it in the file (there are 20). Make sure you put your double quotes around the regular expression.
Lastly, note that 'sextans' is the name of one of my routers (all my machines are named after constellations). So when you see data being transfered between sextans and another host, that's between my computer and said host.
Honor pledge details: you are given permission to search the tcpdump.txt file to answer the above questions for this assignment. After that, you will need to delete the file.
You should submit a file called websecurity.pdf. Answers to all the above questions should be in that file.