CS 361S - Network Security and Privacy Fall 2015. Project #1



Similar documents
CS 361S - Network Security and Privacy Spring Project #1

Secure Web Development Teaching Modules 1. Threat Assessment

EECS 398 Project 2: Classic Web Vulnerabilities

Project 2: Web Security Pitfalls

CS5331 Web Security - Assignment 0

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web attacks and security: SQL injection and cross-site scripting (XSS)

How to Use Your UT WebSpace Account By Kimberly Pendell October 2004

Application Security Testing. Generic Test Strategy

Grand Blanc Community Schools

Using Internet or Windows Explorer to Upload Your Site

Attack and Penetration Testing 101

DEPLOYMENT GUIDE DEPLOYING F5 WITH VMWARE VIRTUAL DESKTOP INFRASTRUCTURE (VDI)

HDA Integration Guide. Help Desk Authority 9.0

Cross Site Scripting in Joomla Acajoom Component

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

INSTALLING MÜSE UPDATES FOR ISTAN

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Webmail Using the Hush Encryption Engine

An Insight into Cookie Security

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

STABLE & SECURE BANK lab writeup. Page 1 of 21

Smartphone Pentest Framework v0.1. User Guide

TxEIS on Internet Explorer 7

Web Application Firewall

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Last update: February 23, 2004

Virtual Server Installation Manual April 8, 2014 Version 1.8

Instruction Guide Mentor/Coach Free Play Practice Event November 2015

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

MySQL Quick Start Guide

Schools Remote Access Server

Deploying the BIG-IP System v10 with VMware Virtual Desktop Infrastructure (VDI)

Marcum LLP MFT Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM System with VMware View

Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and . Chapter 9

Virtual Appliance Setup Guide

Oracle Solaris Remote Lab User Guide for Release 1.01

CPE111 COMPUTER EXPLORATION

PORTAL ADMINISTRATION

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

MY HELPDESK - END-USER CONSOLE...

Internet Explorer Browser Clean-up

Remote Viewer Recording Backup

TIBCO ActiveMatrix BPM - Integration with Content Management Systems

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Application security testing: Protecting your application and data

COMP 112 Assignment 1: HTTP Servers

How To Backup Your Computer With A Remote Drive Client On A Pc Or Macbook Or Macintosh (For Macintosh) On A Macbook (For Pc Or Ipa) On An Uniden (For Ipa Or Mac Macbook) On

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Webmail Instruction Guide

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Support/ User guide HMA Content Management System

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Using Outlook Web Access (OWA) & Remote Web Workplace

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Cross-Site Scripting

Using Virtual Machines

Cloud Backup Express

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

User Manual. User Manual Version

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

CS 558 Internet Systems and Technologies

SAML single sign-on configuration overview

Reference Guide for WebCDM Application 2013 CEICData. All rights reserved.

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Web Application Security

Using Microsoft Expression Web to Upload Your Site

MSSQL quick start guide

Edwin Analytics Getting Started Guide

SAP NetWeaver AS Java

SQL Injection Attack Lab

Lab 8: Configuring Backups

ACCESSING YOUR CHAFFEY COLLEGE VIA THE WEB

How to install and use the File Sharing Outlook Plugin

Web application security

CS 361S - Network Security and Privacy Spring Homework #1

SHAREPOINT COLLABORATIVE WORKSPACE

Tech Tips Helpful Tips for Pelco Products

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Tips for getting started! with! Virtual Data Center!

NexentaConnect for VMware Virtual SAN

Digital Certificate Renewal(Windows Vista and Windows 7)

FireBLAST Marketing Solution v2

SETTING UP AND RUNNING A WEB SITE ON YOUR LENOVO STORAGE DEVICE WORKING WITH WEB SERVER TOOLS

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

About This Document 3. About the Migration Process 4. Requirements and Prerequisites 5. Requirements... 5 Prerequisites... 5

Bitrix Site Manager ASP.NET. Installation Guide

Frequently Asked Questions for the USA TODAY e-newspaper

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

CEFNS Web Hosting a Guide for CS212

Lab 1: Network Devices and Technologies - Capturing Network Traffic

To configure a Virtual SIP Server

How to FTP (How to upload files on a web-server)

Web application security: Testing for vulnerabilities

Transcription:

CS 361S - Network Security and Privacy Fall 2015 Project #1 Due: 12:30pm CST, October 8, 2015 Submission instructions Follow the instructions in the project description. If you are submitting late, please indicate how many late days you are using. Collaboration policy This assignment can be done individually or in two-person teams. Any cheating (e.g., submitting another person s work as your own, or permitting your work to be copied) will automatically result in a failing grade. The Computer Science department code of conduct can be found at https://www.cs.utexas.edu/academics/conduct. Late submission policy This project is due at the beginning of class on October 8. All late submissions will be subject to the following policy. You start the semester with a credit of 3 late days. For the purpose of counting late days, a day is 24 hours starting at 12:30pm on the assignment s due date. Partial days are rounded up to the next full day. You are free to divide your late days among the take-home assignments (3 homeworks and 2 projects) any way you want: submit three assignments 1 day late, submit one assignment 3 days late, etc. After your 3 days are used up, no late submissions will be accepted and you will automatically receive 0 points for each late assignment. 1

Project #1 (50 points + 10 bonus points) The objective of this project is to give you hands-on experience implementing attacks against vulnerable Web applications. You will do this project on a virtual machine using VMware Player. You will need: The project image: http://www.cs.utexas.edu/~ojensen/courses/cs361s/vms/cs361s-proj1.ova Getting Started 1. Download the project image. Set up the VM using the same method as you did in Project #0. Refer back to the instructions for Project #0 if needed. 2. The machine has two accounts: root/root and user/user. You will do your work as user, but feel free to explore as root. The vm has an SSH server. You can SSH into the vm from your machine, using the IP address produced by ifconfig (see above) as the destination. You can also use this to transfer files into the vm using scp. Alternatively, inside the vm, you can fetch files directly from the Web using wget. Some attacks will require an email to be sent to user on the system. You will need a server-side script to automatically email information captured by your client-side JavaScript. We have provided this script for you at http://hackmail.org/sendmail.php (open this URL from within the vm for more instructions) and use that URL in your attack scripts to send emails. Any mail the user receives will appear in /var/mail/user. Interacting with the vm Using SSHFS / X Tunneling (recommended) Probably the least painful way to interact with the vm is through local networking. 1. Install the sshfs package on your host machine and create an empty netfs directory. 2. Run sshfs root@[vm IP address]:/ netfs and enter the vm s root password. You can now access the vm s filesystem via the netfs directory with your host machine s applications. 3. Log in to the vm via ssh -Y user@[vm IP address]. You can now run graphical applications such as iceweasel within the vm. 2

Using SCP If you are not using a unix-like host machine, you may find that the sshfs package is not available for you. If that s the case, the least painful way of interacting with the filesystem is going to be through SCP. WinSCP is a good client for Windows. Good old-fashioned logging in (slow and annoying) You may want to interact with the virtual machine directly. If so, this section is for you: 1. You may find it beneficial to install vmware-tools in the vm. VMware Player will prompt you about this. 2. Go into the desktop environment with startx. 3. To start a Web browser, type iceweasel &. 4. You can change the display resolution in the virtual machine with xrandr, e.g.: xrandr -s 19 5. If you want to install other packages / a friendlier desktop environment, you can use apt-get. UT Payroll UT Payroll is all about making sure people get paid while doing the least amount of work possible. To that end, they ve created a Web application that lets you set up your direct deposit information, replacing the six hardcopy forms they had previously. Because they find themselves frequently looking up the name attached to a UT EID, they have included that functionality as well. The UT Payroll server is located at this URL (accessible only from within the vm): http://payroll.utexas.edu You can create a new account by registering on the main page. You can then save your account number and routing number (this should be obvious, but please please please do not save your actual banking information, or use your actual UT Direct password when registering). You can view any registered user s name by looking up their UT EID on the right. The source code of the Payroll website is available within the vm in /var/payroll/www. Note that the application s database is stored in the /tmp directory, which means that the database will reset whenever you reboot the VM. 3

Attack #1: Cross-site request forgery (10 points + 5 bonus points) Create a malicious HTML page that should work as follows. Suppose the victim has logged into the UT Payroll server, and, while still logged in, visits your HTML page. Your page should overwrite the victim s account number and routing number stored on the UT Payroll server with your own values: 31337 and 73313 respectively. Important: The victim should be redirected to the UT Payroll website immediately. In particular, he should not see the URL or the content of the malicious HTML page. (It is Ok if the browser displays your malicious page for a fraction of a second before it finishes fetching the UT Payroll page.) Bonus (5 points) Instead of redirecting the victim as described in the previous paragraph, make the attack transparent to the victim. In this case, the victim should see only the URL and content of your malicious HTML page. For example, the victim is browsing his favorite forum and sees your link promising a cute picture of a kitten. He clicks your link, sees the kitten, nods appreciatively, then closes the tab, unaware that his data at UT Payroll has been modified. Attack #2: Cookie theft (15 points + 5 bonus points) A user named victim has logged into the UT Payroll server. Create a URL that looks like this (with EVILMAGIC replaced by your exploit): http://payroll.utexas.edu/account.php?eid=evilmagic When the logged in victim visits this URL, the victim s UT Payroll cookie should get sent by email to user. The user should notice no difference in the behavior or appearance of the web page compared to simply typing a username into the text box on http://payroll.utexas.edu/ account.php and hitting Enter. The source of the page can be arbitrarily different, but it should look and feel exactly the same. Important: While you can technically satisfy the wording of the problem by redirecting the user to http://payroll.utexas.edu/account.php?eid=victim after stealing the cookie, this is not what we are looking for. You must exploit the way that the username variable is used in the PHP script. In particular, your attack code must: Pull the victim s record from the database using the SQL query on line 21 of account.php (therefore, SQL must not barf on being given a query constructed from the username part of your URL). 4

Result in the correct username (victim) being displayed in the input field on the user page. Thus, when the PHP code spits back the username you gave it on line 53 of account.php, it must somehow render as victim. It should be exactly that string you cannot have more text hidden beyond the whitespace in the input box. Display the user s EID and name in the area below. Your code should also somehow ensure that even though the username you supplied is a long and ugly string, it should render as victim in this part of the page as well. To summarize, you attack should, without redirection, result in a page that looks exactly like the page http://payroll.utexas.edu/account.php?eid=victim The HTML source will be different, and so will the address bar (it will be your malicious URL) but the content of the page should look and behave the same. If you choose to use a client-side script in addition to a malicious URL, you can use your UT webspace or any other webspace available to you (such as http://pastebin.com) to host that script. Tip: You are allowed to hardcode the string victim wherever you want. You cannot, however, hardcode the value of the name; it should be retrieved from the database. You will probably need to understand and exploit the manner in which the value of the name is encoded into the HTML page and how the JavaScript retrieves it. Partial credit: If you are not able to email the cookie, at least display it in a pop-up alert. If you are not able to make the page look exactly the same, make it look approximately the same. At the very least, try to make sure that your URL does not result in the This UT EID is not registered warning. While some point will be given for simply sending the email / alerting the cookie, the majority of the points for this question are for cleaning up the display after the email has been sent. Bonus (5 points) The team with the shortest URL that implements the full attack #2 gets 5 bonus points. Attack #3: Password theft (10 points) Create a malicious HTML page that should work as follows. Assume your victim is not logged in. Upon visiting your page, the victim should be redirected to http://payroll. utexas.edu/. When the victim enters a username and password and hits Log in, an email should be sent to user containing the username and password entered by the victim. Important: Assuming a valid username/password pair was entered, the next page should look as if the victim did indeed log into UT Payroll. 5

Attack#4: SQL injection (15 points) Create an HTML page that the tester will open in his browser. The tester will not be logged in. The HTML page should have a form with a single text field and a submit button (note: the form should not ask the tester for a password). The tester will type a username into the text field and submit the form. You can assume the username submitted by the tester is already associated with a registered account. As a result, the tester should be logged in as the user whose username he submitted. The browser s location bar should be http://payroll.utexas.edu/account.php, and the page should function exactly as if the correct username and password were entered on the real site. Deliverables You will submit your project using Canvas. Each file should be wholly contained; your exploits should not depend on the other files in your submission nor on anything outside of the VM (including anything on the Internet). Your submission will be a single Gzipped Tar archive, proj1.tar.gz, consisting of the following files: Your malicious HTML page implementing Attack #1, attack1.html. If you attempted the bonus, a separate HTML page, attack1 bonus.html. A plain text file with your malicious URL implementing Attack #2, attack2.txt. Your malicious HTML page implementing Attack #3, attack3.html. Your malicious HTML page implementing Attack #4, attack4.html. A plain text file, SUBMISSION. The first line should state how many (possibly 0) late days were used. Then give the following on a single line, one line for each student: Your UT EID, followed by a single space, followed by your real name. You may also include in your Tar archive a README file with comments about your experiences or suggestions for improvement. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information