Go up to the ICS HW page (md) | view one-page version
There are three parts to this assignment. As part of this assignment, you will have to create a document, called mst3k-websecurity.pdf
(where mst3k is your userid), and submit that file. We aren’t looking for any fancy write-up - just an explanation of what you did, and the results you got. That being said, it should be legible. So make sure you indicate what answers are for what questions, etc.
Your final report should be a PDF file. It need not be long, but it must answer the questions posed below. However, it must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).
Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.
First, you should be familiar with SQL and SQL injection attacks. For review, look at the first half of the SQL, XSS, and CSRF slide set.
I’ve already determined your grades for this part! And you all got an F. So sorry! Those grades have been stored in a database. Whatever grade is in that database at the end of this assignment is your grade for htis part.
View SQL injection attack web page, the URL of which is shown on the Canvas landing page - note that you will have to log in via Netbadge to view this page. From this page, you will need to execute an SQL injection attack. Note that the only confidential data in that database is the names and userids of the participants, and all of that information is considered “public” knowledge to the participants of the course (FERPA allows release of names; all students in this course are in the UVa LDAP server, and the ID numbers were randomly generated).
Your task is to execute at least two SQL injection attacks using this page. The first is a read-only attack, and from it you must obtain a piece of hidden information that is not otherwise displayed from the script. For the second, you must make a modification to your entry in the table. What modification you make is up to you. However, the grade listed in the DB after this assignment is completed will be the grade you receive on this part of the assignment.
A note about comments: the slides stated that --
(dash-dash-space) was how you start a comment in SQL, analogous to //
in C++. If that doesn’t work (it varies by SQL version), try just --
(dash-dash).
In your report, you should list the following:
YOU MAY NOT EXECUTE A DROP TABLE OR TRUNCATE TABLE OR DELETE COMMAND. Doing so is an honor violation. Or any other command that interferes with other students completing their assignment. This includes updating anybody else’s grade. I don’t want to have to go and repair the database because somebody executed this command.
Honor pledge details: you are given permission to execute an SQL injection attack against particular URL for this assignment, as long as the attack does NOT contain a ‘drop table’, ‘truncate’, or ‘delete’ command, or a command that intentionally interferes with other students completing their assignment, or a command that updates another student’s grade.
Lastly, please note that all entries are logged (and are not logged in the DB!). Thus, if the DB is later erased, we can verify that you did (or did not!) properly execute the SQL injection attack.
NOTE: Some modern browsers have anti-XSS capability built in that prevents this type of attack. So if things are working, try a different browser. Chrome, in particular, does not work well with this type of attack, but Firefox is fine.
First, you should be familiar with Javascript and cross-site scripting attacks. For review, look at the the SQL, XSS, and CSRF slide set slide set.
View XSS attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple XSS attacks, described below. Also note that the the account number (which you will need to obtain) is a randomly set number - it is set the first time you access the page, stored in a cookie, and not changed again. But if you try it from a different computer, you will see a separate account number.
There are six XSS attacks that you must do against this page. While it seems like a lot, it’s really only three separate XSS attacks, and one of them is exactly from the slide set. So, really, you just have two XSS attacks to perform.
In your report, you should list the following:
A few notes:
\n
to represent returns. When submitting it via GET variable (i.e. in the URL), you should enter ‘%0a’ for a return. Note that the conversion script (above) may not convert the returns properly - you may have to do that manuallyHonor pledge details: you are given permission to execute XSS attacks against this particular URL for this assignment.
View CSRF attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple CSRF attacks, described below.
Your goal is to transfer $200 to ‘mallory’ via that URL. This must be done two ways:
Now try visiting the site but add ?token
to the end of the URL. This adds a CSRF token to the form. Unfortunately for this bank’s security, the token that was added is always the same. Perform the two CSRF attacks (via GET and via POST) against this variant URL. For the GET, your URL would be something like .../csrf.php?token&foo=bar&...
, and for the post, the action
field of the form
tag would have the csrf.php
part be csrf.php?token
.
In your write-up, show the two URLs used (for the two GET attacks), and the two HTML forms used for the two POST attacks).
Honor pledge details: you are given permission to execute CSRF attacks against this particular URL for this assignment.
Your assignment PDF must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).
You should submit a single PDF file to Gradescope. Answers to all the above questions should be in that file.