Project 4: Web SecurityFall 2023
This project counts for 14% of your course grade. Late submissions will be penalized by 15% of the maximum attainable score. If you or your partner (if you’re working in a team) have a conflict due to travel, interviews, etc., please plan accordingly and turn in your project early.
This is optionally a group project; you may work in teams of two and submit one project per team. You may also work alone. Note that the exams will cover project material, so you and your partner should collaborate closely on each part.
The code and other answers you submit must be entirely your team’s own work, and you are bound by the Honor Code. You may discuss the conceptualization of the project and the meaning of the questions, but you may not look at any part of someone else’s solution or collaborate with anyone other than your partner. You may consult published references, provided that you appropriately cite them (e.g., with program comments).
Solutions must be submitted via the Autograder, following the submission checklist at the end of this spec.
Introduction
In this project, we provide an insecure website, and your job is to attack it by exploiting three common classes of vulnerabilities: SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). You are also asked to exploit various flawed defenses meant to prevent these attacks. Understanding how these attacks work will help you better defend your own web applications.
Objectives
- Learn to spot common vulnerabilities in websites and to avoid them in your own projects.
- Understand the risks these problems pose and the weaknesses of naive defenses.
- Gain experience with web architecture and with HTML, JavaScript, and SQL programming.
Setup
Similarly to the Cryptography and Networking projects, you will be using Docker to complete this project. However, if you haven’t already, follow our Docker guide to learn how to set up Docker on your computer.
- To get the code for this project, create a repo using the GitHub template. Make sure to make this repo private.
- Clone the repo onto your system (you’ll need to supply your GT credentials for this), then open it in VS Code.
- If you successfully set up Docker in the previous project/labs, you should be greeted with a pop-up in the bottom right asking you to re-open the directory in the development container; do so now!
- After some time taken to build the container, you should be greeted with the project files in a directory and a terminal connected to the container (as shown in the Docker guide).
- Make sure the Docker container for Lab 4 is not running before you start the project. Both containers contend on port 4235 for displaying Firefox, so ensure that you’re seeing Firefox from the right container!
If you’re unfamiliar with using Git/GitHub, check out this guide to help you get started.
Warning
This project asks you to develop attacks and test them, with our permission, against a target website that we are providing for this purpose. Attempting the same kinds of attacks against other websites without authorization is prohibited by law and may result in severe consequences. You must not attack any website without authorization!
Target Website
Motivated by the success of DuckDuckGo, a group of freshmen CS majors decided to launch a startup named BuzzBuzzGo, with its first product being a web search engine exclusively for the Yellow Jackets. However, their investors are nervous about security problems. Unlike the freshmen who developed the site, you took cs3235, so the investors have hired you to perform a security evaluation before it goes live.
BuzzBuzzGo is available for you to test at https://webproject.gtinfosec.org. For security and compatibility reasons, the site is only accessible when using the Docker Container for this project. For more details, see the next section of the write-up titled ‘Guidelines’.
The site is written in Python using the Bottle web framework. Although Bottle has built-in mechanisms that help guard against some common vulnerabilities, the freshmen have circumvented or ignored these mechanisms in several places.
You can interact with BuzzBuzzGo as many times as you want. In addition to providing search results, the site accepts logins and tracks users’ search histories. It stores usernames, passwords, and search history in a MySQL database.
Passwords used on BuzzBuzzGo may be exposed to others. Never use an important password to test an insecure site! This especially includes your personal passwords.
Before being granted access to the source code, you reverse engineered the site and determined that it replies to five main URLs: /
,
/search
, /login
, /logout
, and /create
. The function of these
URLs is explained below.
-
Main page (
/
)The main page accepts
GET
requests and displays a search form. When submitted, this form issues aGET
request to/search
, sending the search string as the parameter “q
”.If no user is logged in, the main page also displays a form that gives the user the option of logging in or creating an account. The form issues
POST
requests to/login
and/create
. -
Search results (
/search
)The search results page accepts
GET
requests and prints the search string, supplied in the “q
” query parameter, along with the search results. If the user is logged in, the page also displays the user’s recent search history in a sidebar.Note: Since actual search is not relevant to this project, you might not receive any results.
-
Login handler (
/login
)The login handler accepts
POST
requests and takes plaintext “username
” and “password
” query parameters. It checks the user database to see if a user with those credentials exists. If so, it sets a login cookie and redirects the browser to the main page. The cookie tracks which user is logged in; manipulating or forging it is not part of this project. -
Logout handler (
/logout
)The logout handler accepts
POST
requests. It deletes the login cookie, if set, and redirects the browser to the main page. -
Create account handler (
/create
)The create account handler accepts
POST
requests and receives plaintext “username
” and “password
” query parameters. It inserts the username and password into the database of users, unless a user with that username already exists. It then logs the user in and redirects the browser to the main page.Note: The password is neither sent nor stored securely; however, none of the attacks you implement should depend on this behavior. You should choose a password that others will not guess, but again, never use an important password to test an insecure site!
Guidelines
Browser
This project has been tested and will be graded using Firefox 91 on Linux, which is shipped with the project’s Docker Container. When you open the project in the container in VS Code, you can navigate to http://localhost:4235
in your browser to use this specific version of Firefox. (It’s a bit of browser-ception.)
You can enable developer tools by pressing F12, or right-clicking on any element of the page and choosing Inspect from the dropdown menu. Firefox’s developer tools, when enabled, appears at the bottom of the browser window by default. You can adjust the text size within the developer tools frame by clicking anything on it, and then pressing (Ctrl, +) for larger text and (Ctrl, -) for smaller text.
Defense Levels
The freshmen have been experimenting with some naïve defenses, and you need to demonstrate that these provide insufficient protection. In Parts 2 and 3, the site includes drop-down menus at the top of each page that let you change the CSRF and XSS defenses that are in use. When you are testing your solution, ensure that BuzzBuzzGo has the correct defense levels set. You may not attempt to subvert the mechanism for changing the level of defense in your attacks. Be sure to test your solutions with the appropriate defense levels!
In all parts, you should implement the simplest attack you can think of that defeats the given set of defenses. In other words, do not simply attack the highest level of defense and submit that attack as your solution for all defenses. You do not need to combine the vulnerabilities, unless explicitly stated.
When grading, the correct defense levels will be set on BuzzBuzzGo before the autograder runs your solution; don’t worry about setting this through your code.
Resources
The Firefox Developer Tools will be very helpful for this project, particularly the JavaScript console and debugger, DOM inspector, and network monitor. See https://developer.mozilla.org/en-US/docs/Tools.
Although general purpose tools are permitted, you are not allowed to use tools that are designed to automatically test for vulnerabilities. Additionally, your solutions may not use any libraries other than jQuery, which has already been included on BuzzBuzzGo.
Your solutions will involve manipulating SQL statements and writing web code using HTML, JavaScript, and the jQuery library. You should search the web for answers to basic how-to questions. There are many fine online resources for learning these tools. Here are a few that we recommend:
- SQL Tutorial
- SQL Statement Syntax
- Introduction to HTML
- JavaScript 101
- Using jQuery Core
- jQuery API Reference
- HTTP Made Really Easy
To learn more about SQL Injection, CSRF, and XSS attacks, and for tips on exploiting them, see:
Primers
To help you get started on the background knowledge needed for this project, we’ve recorded a series of primer videos, one for each part:
You can also download a PDF of the slide deck for all three videos here.
Part 1. SQL Injection
Your first goal is to demonstrate SQL injection attacks that log you in as an arbitrary user without knowing the password. In order to protect other students’ accounts, we’ve made a series of separate login forms for you to attack that aren’t part of the main BuzzBuzzGo site.
It’s important to note that all the attacks for this part need to be done on the specific URLs as given, and not the main page of BuzzBuzzGo.
For each of the following defenses, provide inputs to the target login
form that successfully log you in as the user “victim
”:
1.0 No defenses 5 pts
You can assume that the password field is simply enclosed in single quotes.
Target: https://webproject.gtinfosec.org/sqlinject/0
Submission: sql_0.txt
1.1 Simple escaping 10 pts
The server escapes single quotes ('
) in the inputs by replacing
them with two single quotes.
Target: https://webproject.gtinfosec.org/sqlinject/1
Submission: sql_1.txt
1.2 Escaping and Hashing 15 pts
The server uses the following Python code, which escapes the username and applies the MD5 hash function to the password.
Warning: This target is significantly more difficult than the previous two SQL injection targets. We strongly urge you to start early.
from hashlib import md5
from flask import request
@app.route("/sqlinject/2", methods=["POST"])
def login():
username = request.form["username"]
escaped_username = mysql_real_escape_string(username)
password_bytes = request.form["password"].encode("latin-1")
password_digest = md5(password_bytes).digest().decode("latin-1")
query = "SELECT * FROM users WHERE username='" + escaped_username + "' AND password='" + password_digest + "'"
selected_users = mysql.execute(query).fetchall()
if len(selected_users) > 0:
return "Login successful!"
else:
return "Incorrect username or password."
This is more difficult than the previous two defenses. You will need to write a program to produce a working exploit. You can use any language you like, but we recommend Python 3.
Please put all source files for your program into the sql_2-src
directory in the starter files. At submission, please archive this directory, making a ZIP file named sql_2-src.zip
.
Hint: If your script is taking a really long time to run, it may be worth designing an SQL injection that it will have an easier time finding. Consider looking at the W3 Schools SQL Operators page for some inspiration.
Target: https://webproject.gtinfosec.org/sqlinject/2
Submissions: sql_2.txt
and a ZIP file called sql_2-src.zip
What to submit
Submit your answers to the Autograder. For this part, the files to submit are sql_0.txt
, sql_1.txt
, sql_2.txt
and sql_2-src.zip
.
Part 2. Cross-site Scripting (XSS)
Your next task is to demonstrate XSS attacks against the
BuzzBuzzGo search
box, which does not properly filter search terms before echoing them to
the results page. For each of the defenses below, your goal is to
construct a URL that, when loaded in the victim’s browser, correctly
executes the specified payload. We recommend that you begin by testing
with a simple payload (e.g., alert(0);
), then move on to the full
payload. Note that you should be able to implement the payload once,
then use different means of encoding it to bypass the different
defenses.
Note: jQuery is embedded on BuzzBuzzGo. Please do not reload it in your scripts for Part 2.
Note: You need to create your own accounts in BuzzBuzzGo to exploit for this part. However, if you use a simple username and password combination, other students may be able to brute-force your credentials and view your search history.
Payload
The payload (the code that the attack tries to execute) will steal the username and the most recent search the real user has performed on the BuzzBuzzGo site. When a victim visits the URL you create, these stolen items should be sent to the attacker’s server for collection.
For purposes of grading, your attack should report these events by
loading (i.e. sending a GET request to) the following URL:
http://stealer:31337/?stolen_user=<username>&last_search=<last_search>
, where <username>
and <last_search>
represent the corresponding data.
That is, the files named xss_#.txt
should contain a URL only. When this
URL is copy-pasted into Firefox’s address bar, the attack (as described above)
should succeed. In turn, when you observe your payload working correctly from
BuzzBuzzGo‘s /search
endpoint, it suffices to copy-paste the URL in Firefox’s
address bar to the corresponding text file for your current defense level.
You can test receiving this data by running this command within the Docker container:
$ python3 -m http.server 31337
and observing the HTTP GET request that your payload generates in the server log.
For full credit, make sure your payload functions exactly as specified above. We cannot accept solutions that load an incorrect URL, use an incorrect request method, or send extraneous data.
Hint: In most cases, scripts are loaded alongside other content in the same order as they appear within a page’s source code. Your payload may need to account for the possibility that not all elements of the page will be accessible until everything in the DOM is ready!
Defenses
There are four levels of defense. In each case, you should submit the simplest attack you can find that works against that defense; you should not simply attack the highest level and submit your solution for that level for every level. Try to use a different technique for each defense. The Python code that implements each defense is shown below, along with the target URL and the filename you should submit.
Note that the defenses are not cumulative; 2.2, for example, does not cover the sanitation done for 2.1.
2.0 No defenses 10 pts (5 pts + 5 pts payload)
Target: https://webproject.gtinfosec.org/search?xssdefense=0
Submission: xss_0.txt
For 2.0 only, also submit a human-readable version of your payload
code (as opposed to the form encoded into the URL). Save it in a
file named xss_payload.html
.
2.1 Remove “script” 10 pts
The server runs the Python code below to sanitize user input. In plain English, this regular expression replaces all instances of “script” with empty strings.
filtered = re.sub(r"(?i)script", "", input)
Submission:
xss_1.txt
2.2 Remove several tags 10 pts
The server runs the Python code below to sanitize user input. In plain English, this regular expression replaces all instances of the opening tags of script, img, body, style, meta, embed, and object HTML elements with empty strings.
filtered = re.sub(r"(?i)script|<img|<body|<style|<meta|<embed|<object", "", input)
Submission:
xss_2.txt
2.3 Remove some punctuation 15 pts
The server runs the Python code below to sanitize user input. In plain English, this regular expression replaces all semicolons, single quotes, and double quotes with empty strings.
filtered = re.sub(r"[;'\"]", "", input)
Target: https://webproject.gtinfosec.org/search?xssdefense=3
Submission: xss_3.txt
What to submit
Submit your answers to the Autograder. The files to submit for this part are xss_0.txt
through xss_3.txt
, and xss_payload.html
.
In addition to the the human-readable (non–URL-encoded) payload submitted
for part 2.0, your submission will be a text file with the specified filename
for each level of defense that contains a single line consisting of a URL. When
this URL is loaded in a victim’s browser, it should execute a payload against
the specified target. The payload encoded in your URLs may embed inline JavaScript. That is,
it should include the stealer
URL given
earlier in this spec!
Part 3. Cross-site Request Forgery (CSRF)
Your final goal is to demonstrate CSRF vulnerabilities against the login
form, and BuzzBuzzGo has
provided two variations of their implementation for you to test. Your
goal is to construct attacks that surreptitiously cause the victim to
log in to an account you control, thus allowing you to monitor the
victim’s search queries by viewing the search history for this account.
For each of the defenses below, create an HTML file that, when opened by
a victim, logs their browser into BuzzBuzzGo under
the account “attacker
” and password “l33th4x
”.
Your solutions should not require any user action beyond simply loading the page once. That is, your code should not rely on user input. The browser should just display a blank page, with no evidence of an attack. (If the victim later visits BuzzBuzzGo, it will say “logged in as attacker”, but that’s fine for the purpose of this project. After all, most users won’t notice immediately.)
To test your solution, you will have to act like the victim. With BuzzBuzzGo
open in Firefox, open a new tab. Pressing (Ctrl, O) will prompt Firefox to
open a file browser. You can navigate to Other Locations -> Computer -> workspaces -> web
to find the files in your Project 4 directory. Alternatively, you can input file:///workspaces/web/(...)
in the URL bar, where the (...)
is replaced by the name of a file in your Project 4 directory, such as, csrf_0.html
.
Because the /login
handler only accepts POST requests, you will not be able to visit the following target URLs in your browser directly—GET requests will return a 405 Method Not Allowed
error.
3.0 No defenses 10 pts
Target: https://webproject.gtinfosec.org/login?csrfdefense=0&xssdefense=4
Submission: csrf_0.html
3.1 Token validation 15 pts
The server sets a cookie named csrf_token
to a random 16-byte
value and also includes this value as a hidden field in the login
form. When the form is submitted, the server verifies that the
client’s cookie matches the value in the form. You are allowed to
exploit the XSS vulnerability from Part 2 to accomplish your goal.
Target: https://webproject.gtinfosec.org/login?csrfdefense=1&xssdefense=0
Submission: csrf_1.html
What to submit
For each part, submit an HTML file with the given
name that accomplishes the specified attack against the specified target
URL. The HTML files you submit may embed inline JavaScript and load jQuery from the URL https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
, but they must otherwise be self-contained.
If you choose to use jQuery, make sure to use this exact URL. Otherwise, your solution may not function correctly within the Docker environment or the autograder.
Note: Since you’re sharing the attacker
account with other students,
we’ve hard-coded it so the search history won’t actually update. You can
test with a different account you create to see the history change.
Tips and advice
In the past, students have lost credit on this part for various preventable reasons. Here are some tips on how to avoid common pitfalls:
-
Double check to make sure you use the exact target endpoints specified.
-
Do not rely on JavaScript methods that force the script to sleep for a hard-coded time interval, as this approach may not work consistently across all situations.
-
When obtaining cookie data, avoid hardcoding any values beyond those given above. Search online to find general best practices for these tasks.
-
Your solution must work quickly and discreetly to evade detection. This means no automatic redirects, in any part of your HTML page or in any of its frames.
-
Apply the security mindset and test your exploit thoroughly, multiple times just to be safe! Make sure to clear any cookies and disable any extensions that may interfere.
Submission Details
-
Create a repo using the GitHub template. Make sure that the repo you create is private.
-
Visit the project on the autograder, and optionally create a team. Ensure that only one team member makes submissions to the Autograder to avoid confusion.
Part 1: SQL Injection
1.0 No defenses 5 pts | |
1.1 Simple escaping 10 pts | |
1.2 Escaping and Hashing 15 pts | |
1.2 Escaping and Hashing |
Part 2: XSS
2.0 No defenses 5 pts | |
2.0 No defenses 5 pts | |
2.1 Remove “script” 10 pts | |
2.2 Remove several tags 10 pts | |
2.3 Remove some punctuation 15 pts |
Part 3: CSRF
3.0 No defenses 10 pts | |
3.1 Token validation 15 pts |