ICS: Programming Homework: SQL, CSRF, and XSS

Go up to the ICS HW page (md) | view one-page version

Introduction

There are three parts to this assignment. As part of this assignment, you will have to create a document, called mst3k-websecurity.pdf (where mst3k is your userid), and submit that file. We aren’t looking for any fancy write-up - just an explanation of what you did, and the results you got. That being said, it should be legible. So make sure you indicate what answers are for what questions, etc.

Your final report should be a PDF file. It need not be long, but it must answer the questions posed below. However, it must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).

Changelog

Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.

Part 1: SQL Injection Attack

First, you should be familiar with SQL and SQL injection attacks. For review, look at the first half of the SQL, XSS, and CSRF slide set.

I’ve already determined your grades for this part! And you all got an F. So sorry! Those grades have been stored in a database. Whatever grade is in that database at the end of this assignment is your grade for htis part.

View SQL injection attack web page, the URL of which is shown on the Canvas landing page - note that you will have to log in via Netbadge to view this page. From this page, you will need to execute an SQL injection attack. Note that the only confidential data in that database is the names and userids of the participants, and all of that information is considered “public” knowledge to the participants of the course (FERPA allows release of names; all students in this course are in the UVa LDAP server, and the ID numbers were randomly generated).

Your task is to execute at least two SQL injection attacks using this page. The first is a read-only attack, and from it you must obtain a piece of hidden information that is not otherwise displayed from the script. For the second, you must make a modification to your entry in the table. What modification you make is up to you. However, the grade listed in the DB after this assignment is completed will be the grade you receive on this part of the assignment.

A note about comments: the slides stated that -- (dash-dash-space) was how you start a comment in SQL, analogous to // in C++. If that doesn’t work (it varies by SQL version), try just -- (dash-dash).

In your report, you should list the following:

YOU MAY NOT EXECUTE A DROP TABLE OR TRUNCATE TABLE OR DELETE COMMAND. Doing so is an honor violation. Or any other command that interferes with other students completing their assignment. This includes updating anybody else’s grade. I don’t want to have to go and repair the database because somebody executed this command.

Honor pledge details: you are given permission to execute an SQL injection attack against particular URL for this assignment, as long as the attack does NOT contain a ‘drop table’, ‘truncate’, or ‘delete’ command, or a command that intentionally interferes with other students completing their assignment, or a command that updates another student’s grade.

Lastly, please note that all entries are logged (and are not logged in the DB!). Thus, if the DB is later erased, we can verify that you did (or did not!) properly execute the SQL injection attack.

Part 2: Cross-site Scripting Attack

NOTE: Some modern browsers have anti-XSS capability built in that prevents this type of attack. So if things are working, try a different browser. Chrome, in particular, does not work well with this type of attack, but Firefox is fine.

First, you should be familiar with Javascript and cross-site scripting attacks. For review, look at the the SQL, XSS, and CSRF slide set slide set.

View XSS attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple XSS attacks, described below. Also note that the the account number (which you will need to obtain) is a randomly set number - it is set the first time you access the page, stored in a cookie, and not changed again. But if you try it from a different computer, you will see a separate account number.

There are six XSS attacks that you must do against this page. While it seems like a lot, it’s really only three separate XSS attacks, and one of them is exactly from the slide set. So, really, you just have two XSS attacks to perform.

  1. Perform an XSS attack that will change the account balance to a sufficient enough quantity to make the purchase. This should be done via a posting to the web form
  2. Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).
  3. Perform an XSS attack that will display the account number to the screen. This must read the Javascript variable and display it, and should be done via a posting to the web form.
  4. Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).
  5. Perform an XSS attack that will display the account number to the screen. This must read via a cookie from the web browser, and display it, and should be done via a posting to the web form.
    • Note that a sophisticated XSS attack would send that account number somewhere over the network - we are just displaying it to the screen
  6. Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).

In your report, you should list the following:

A few notes:

Honor pledge details: you are given permission to execute XSS attacks against this particular URL for this assignment.

Part 3 Cross-site Request Forgery Attack

View CSRF attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple CSRF attacks, described below.

Your goal is to transfer $200 to ‘mallory’ via that URL. This must be done two ways:

Now try visiting the site but add ?token to the end of the URL. This adds a CSRF token to the form. Unfortunately for this bank’s security, the token that was added is always the same. Perform the two CSRF attacks (via GET and via POST) against this variant URL. For the GET, your URL would be something like .../csrf.php?token&foo=bar&..., and for the post, the action field of the form tag would have the csrf.php part be csrf.php?token.

In your write-up, show the two URLs used (for the two GET attacks), and the two HTML forms used for the two POST attacks).

Honor pledge details: you are given permission to execute CSRF attacks against this particular URL for this assignment.

Submission

Your assignment PDF must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).

You should submit a single PDF file to Gradescope. Answers to all the above questions should be in that file.