-
Notifications
You must be signed in to change notification settings - Fork 11
/
hw-sql-xss-csrf-tabbed.html
120 lines (115 loc) · 12.6 KB
/
hw-sql-xss-csrf-tabbed.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<!DOCTYPE html>
<html xmlns='http://www.w3.org/1999/xhtml' lang='' xml:lang=''>
<head>
<meta charset='utf-8'></meta>
<meta name='generator' content='pandoc'></meta>
<meta name='viewport' content='width=device-width, initial-scale=1.0, user-scalable=yes'></meta>
<title>ICS: Programming Homework: SQL, CSRF, and XSS</title>
<style>
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
<link rel='stylesheet' href='../markdown.css'></link>
<script>
function openTab(evt, tabName) {
// Declare all variables
var i, tabcontent, tablinks;
// Get all elements with class="tabcontent" and hide them
tabcontent = document.getElementsByClassName("tabcontent");
for (i = 0; i < tabcontent.length; i++) {
tabcontent[i].style.display = "none";
}
// Get all elements with class="tablinks" and remove the class "active"
tablinks = document.getElementsByClassName("tablinks");
for (i = 0; i < tablinks.length; i++) {
tablinks[i].className = tablinks[i].className.replace(" active", "");
}
// Show the current tab, and add an "active" class to the button that opened the tab
document.getElementById(tabName).style.display = "block";
evt.currentTarget.className += " active";
}
</script>
</head>
<body>
<h1 id='ics-programming-homework-sql-csrf-and-xss'>ICS: Programming Homework: SQL, CSRF, and XSS</h1>
<p><a href='index.html'>Go up to the ICS HW page</a> (<a href='index.md'>md</a>) | <a href='hw-sql-xss-csrf.html'>view one-page version</a></p><div class='tab'>
<button class='tablinks' onclick="openTab(event,'tintroduction')" id='defaultOpen'>Introduction</button>
<button class='tablinks' onclick="openTab(event,'tchangelog')">Changelog</button>
<button class='tablinks' onclick="openTab(event,'tpart-1-sql-injection-attack')">SQL Injection Attack</button>
<button class='tablinks' onclick="openTab(event,'tpart-2-cross-site-scripting-attack')">Cross Site Scripting Attack</button>
<button class='tablinks' onclick="openTab(event,'tpart-3-cross-site-request-forgery-attack')">Cross Site Request Forgery Attack</button>
<button class='tablinks' onclick="openTab(event,'tsubmission')">Submission</button>
</div>
<div id='tintroduction' class='tabcontent'><h3 id='introduction'>Introduction</h3>
<p>There are three parts to this assignment. As part of this assignment, you will have to create a document, called <code>mst3k-websecurity.pdf</code> (where mst3k is your userid), and submit that file. We aren’t looking for any fancy write-up - just an explanation of what you did, and the results you got. That being said, it should be legible. So make sure you indicate what answers are for what questions, etc.</p>
<p>Your final report should be a PDF file. It need not be long, but it must answer the questions posed below. However, it must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).</p>
</div><div id='tchangelog' class='tabcontent'><h3 id='changelog'>Changelog</h3>
<p>Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.</p>
</div><div id='tpart-1-sql-injection-attack' class='tabcontent'><h3 id='part-1-sql-injection-attack'>Part 1: SQL Injection Attack</h3>
<p>First, you should be familiar with SQL and SQL injection attacks. For review, look at the first half of the <a href='../slides/sql-xss-csrf.html#/'>SQL, XSS, and CSRF slide set</a>.</p>
<p>I’ve already determined your grades for this part! And you all got an F. So sorry! Those grades have been stored in a database. Whatever grade is in that database at the end of this assignment is your grade for htis part.</p>
<p>View SQL injection attack web page, the URL of which is shown on the Canvas landing page - note that you will have to log in via Netbadge to view this page. From this page, you will need to execute an SQL injection attack. Note that the only confidential data in that database is the names and userids of the participants, and all of that information is considered “public” knowledge to the participants of the course (FERPA allows release of names; all students in this course are in the <a href='http://www.virginia.edu/cgi-local/ldapweb?asb2t'>UVa LDAP server</a>, and the ID numbers were randomly generated).</p>
<p>Your task is to execute at least two SQL injection attacks using this page. The first is a read-only attack, and from it you must obtain a piece of hidden information that is not otherwise displayed from the script. For the second, you must make a modification to <strong>your entry</strong> in the table. What modification you make is up to you. However, the grade listed in the DB after this assignment is completed will be the grade you receive on this part of the assignment.</p>
<p>A note about comments: the slides stated that <code>--</code> (dash-dash-space) was how you start a comment in SQL, analogous to <code>//</code> in C++. If that doesn’t work (it varies by SQL version), try just <code>--</code> (dash-dash).</p>
<p>In your report, you should list the following:</p>
<ul>
<li>The exact ‘userid’ that you entered for each of the attacks</li>
<li>The hidden information that you obtained</li>
<li>The modification that you made to the database</li>
<li>The <strong>exact</strong> time stamp for each of the attacks. This allows us to verify it against the log file. The time stamp is listed at the bottom of the page, and is the time stamp of the page that was served in response to your attack.</li>
</ul>
<p><strong>YOU MAY NOT EXECUTE A DROP TABLE OR TRUNCATE TABLE OR DELETE COMMAND</strong>. Doing so is an honor violation. Or any other command that interferes with other students completing their assignment. This includes updating anybody else’s grade. I don’t want to have to go and repair the database because somebody executed this command.</p>
<p>Honor pledge details: you are given permission to execute an SQL injection attack against particular URL for this assignment, as long as the attack does NOT contain a ‘drop table’, ‘truncate’, or ‘delete’ command, or a command that intentionally interferes with other students completing their assignment, or a command that updates another student’s grade.</p>
<p>Lastly, please note that all entries are logged (and are not logged in the DB!). Thus, if the DB is later erased, we can verify that you did (or did not!) properly execute the SQL injection attack.</p>
</div><div id='tpart-2-cross-site-scripting-attack' class='tabcontent'><h3 id='part-2-cross-site-scripting-attack'>Part 2: Cross-site Scripting Attack</h3>
<p><strong>NOTE:</strong> Some modern browsers have anti-XSS capability built in that prevents this type of attack. So if things are working, try a different browser. Chrome, in particular, does not work well with this type of attack, but Firefox is fine.</p>
<p>First, you should be familiar with Javascript and cross-site scripting attacks. For review, look at the the <a href='../slides/sql-xss-csrf.html#/'>SQL, XSS, and CSRF slide set</a> slide set.</p>
<p>View XSS attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple XSS attacks, described below. Also note that the the account number (which you will need to obtain) is a randomly set number - it is set the first time you access the page, stored in a cookie, and not changed again. But if you try it from a different computer, you will see a separate account number.</p>
<p>There are six XSS attacks that you must do against this page. While it seems like a lot, it’s really only three separate XSS attacks, and one of them is exactly from the slide set. So, really, you just have two XSS attacks to perform.</p>
<ol type='1'>
<li>Perform an XSS attack that will change the account balance to a sufficient enough quantity to make the purchase. This should be done via a posting to the web form</li>
<li>Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).</li>
<li>Perform an XSS attack that will display the account number to the screen. This must read the Javascript variable and display it, and should be done via a posting to the web form.</li>
<li>Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).</li>
<li>Perform an XSS attack that will display the account number to the screen. This must read via a cookie from the web browser, and display it, and should be done via a posting to the web form.
<ul>
<li>Note that a sophisticated XSS attack would send that account number somewhere over the network - we are just displaying it to the screen</li>
</ul></li>
<li>Perform the same XSS attack as above, but via a GET variable (i.e. via a URL).</li>
</ol>
<p>In your report, you should list the following:</p>
<ul>
<li>The data used in your XSS attack, and whether it was a GET or POST attack</li>
<li>The ‘special’ thing that happens when you execute the attack well</li>
<li>The <strong>exact</strong> time stamp for each of the attacks. This allows us to verify it against the log file. The time stamp is listed at the bottom of the page, and is the time stamp of the page that was served in response to your attack.</li>
</ul>
<p>A few notes:</p>
<ul>
<li>You can use the script at <a href='https://meyerweb.com/eric/tools/dencoder/'>https://meyerweb.com/eric/tools/dencoder/</a> to encode your Javascript into URL-encoded text</li>
<li>When submitting an XSS attack via the submission of the form, you should enter <code>\n</code> to represent returns. When submitting it via GET variable (i.e. in the URL), you should enter ‘%0a’ for a return. Note that the conversion script (above) may not convert the returns properly - you may have to do that manually</li>
<li>To write some text from Javascript to the web page, use ‘document.write(“foo”);’</li>
<li>To read a cookie in Javascript, print out the document.cookie variable</li>
<li>Typically, once you have the form posting, you will encode that using the encoder URL, and put that onto the XSS script URL setting the ‘userid’ variable to the URL-encoded text</li>
<li>Do not use the plus sign inside your script! This includes in the document.write() call. The server sees them as separating GET variables, when you want it to all be one variable.</li>
</ul>
<p>Honor pledge details: you are given permission to execute XSS attacks against this particular URL for this assignment.</p>
</div><div id='tpart-3-cross-site-request-forgery-attack' class='tabcontent'><h3 id='part-3-cross-site-request-forgery-attack'>Part 3 Cross-site Request Forgery Attack</h3>
<p>View CSRF attack web page, the URL of which is shown on the Canvas landing page - again, you will have to log in via Netbadge to view that page. From this page, you will need to execute multiple CSRF attacks, described below.</p>
<p>Your goal is to transfer $200 to ‘mallory’ via that URL. This must be done two ways:</p>
<ul>
<li>Via GET variables, so that it’s an attack in a single URL. This URL could be hidden through a link, a picture, etc.</li>
<li>Via a form posting, which uses that URL as the ‘action’ value of the form.</li>
</ul>
<p>Now try visiting the site but add <code>?token</code> to the end of the URL. This adds a CSRF token to the form. Unfortunately for this bank’s security, the token that was added is always the same. Perform the two CSRF attacks (via GET and via POST) against this variant URL. For the GET, your URL would be something like <code>.../csrf.php?token&foo=bar&...</code>, and for the post, the <code>action</code> field of the <code>form</code> tag would have the <code>csrf.php</code> part be <code>csrf.php?token</code>.</p>
<p>In your write-up, show the two URLs used (for the two GET attacks), and the two HTML forms used for the two POST attacks).</p>
<p>Honor pledge details: you are given permission to execute CSRF attacks against this particular URL for this assignment.</p>
</div><div id='tsubmission' class='tabcontent'><h3 id='submission'>Submission</h3>
<p>Your assignment PDF must be EXACTLY three pages, which each of the three parts on its own page (SQL on page 1, XSS on page 2, and CSRF on page 3).</p>
<p>You should submit a single PDF file to Gradescope. Answers to all the above questions should be in that file.</p>
</div><script>document.getElementById('defaultOpen').click();</script></body>
</html>