CS 4740 / CS 6740 - Project 4

CS 4740 / CS 6740 - Network Security

Project 4: Web Exploits

This project is due at 11:59pm on April 28, 2015.

Description

In this assignment, your goal is to steal three secret flags from a website that is accessible at http://guldendraak.ccs.neu.edu:8080/. Access to this website, which we shall call the Forum, requires a username and password. Inside the website, you will find a forum for discussing hacking topics, as well as a chatroom that uses WebSockets to implement live-chat capabilities.

You will not be provided a username/password for the Forum, nor will you be provided source code. To complete this assignment, you will need to find a way to break into the Forum without having any access to source code or other server-side resources.

Secret Flags

As mentioned above, there are three secret flags that you must collect from the Forum. Collecting each secret will require leveraging different types of web exploits.

SQL Injection: your first task will be to gain access to the Forum. To gain access, you must bypass the Forums' authentication procedure by exploiting a SQL injection vulnerability in the server-side processing of the login credentials. However, the forum developers have implemented several input filters on the login form that you will need to evade. Triggering the filter will result in a visual indication to that effect; this can be used as an oracle to determine the types of input the filter alerts on.

Once you have gained access to the Forum you will need to look around for the first secret.
XSS: the message boards on the Forum contain an exploitable XSS vulnerability. You must use this vulnerability to steal a cookie named 'p' that has been set on the site administrator. Fortunately for you, the administrator visits the message boards every 5 minutes, and clicks all posted links (e.g. anchor tags) in order to determine if they violate the Forum's terms of service.
HTML5 postMessage: The forum also provides a chat room. This service is implemented using postMessage, WebSockets, and a browser cryptographic library. Messages are encrypted using a secret that is never sent to the server. Furthermore, encrypted messages are salted to prevent rainbow table attacks.

Your task is to steal the secret used by the adminstrator. Fortunately for you, the administor logs-in to the chat room every five minutes and posts a message, giving you ample opportunity to somehow steal the secret.

How to Approach This Assignment

This assignment will require a different set of skills and tools than Projects 2 and 3. The first tool in your toolbox is your web browser: all modern web browsers include developer tools that allow you to inspect the HTML/JavaScript/CSS code of pages, as well as incoming and outgoing network requests. Furthermore, all browsers include a JavaScript console that allows you to run code within the context of a given webpage. The JavaScript console will be useful for developing and debugging exploit code.

During this project, you will need to develop client-side scripts or programs that interact with the Forum. For example, this can be done in Python using urllib2 or httplib to programmatically issue HTTP GET and POST requests. A more sophisticated solution is to use a headless web browser like PhantomJS (or CasperJS, which is an API framework built on top of PhantomJS). A headless browser is a full web browser that you can run via a command line and control programmatically using scripts. For example, PhantomJS uses the same Webkit rendering engine as Chrome and Safari, and you can control its behavior (i.e. which pages it visits, what links are clicked, etc) using JavaScript. The advantage to using a headless browser is that it will execute JavaScript code that is served by webpages, and you can write your own JavaScript that interacts with a web page's code.

Finally, it may be useful during this project for you to run your own web server. You can use standard, general purpose servers like Apache or Nginx for this task, or you can use an application server like Tomcat. However, these solutions are extremely heavyweight, and require a great deal of manual configuration. A better solution is to use a lighter-weight framework like Django or Ruby on Rails. These frameworks typically come with easy-to-deploy, built-in webservers. An even better solution may be to use a microframework like Flask, Sinatra, or PerlDancer. These microframeworks are designed to make it trivial to design, setup, and deploy simple web services.

Accessibility

For security reasons, the services on Guldendraak only accept TCP connections from machines in the Khoury College network. Thus, you must be physically present on campus, tunneled/VPNed to campus, or SSHed into a Khoury College machine in order to access the services.

What You Need to Turn In

To receive credit on this assignment, you will need to turn in all your code, as well as a file named secrets.json that contains the following JSON formatted data:

{
    "sql_secret": "the secret hidden in the website, as a string",
    "xss_secret": "the secret stolen from the administrator's cookie, as a string",
    "postmessage_secret": "the secret stolen from the administrator's chatbot, as a string"
}

You can use the following Python commands to test whether your file is valid JSON:

% python
>>> import json
>>> s = json.loads(open('secrets.json').read())
>>> print isinstance(s["sql_secret"], basestring)
>>> print isinstance(s["xss_secret"], basestring)
>>> print isinstance(s["postmessage_secret"], basestring)

If you see an exception, then your file is not formatted correctly (or your file couldn't be found).

Language and Libraries

You can write your code in whatever language you choose. You may assume that your code will be graded on a machine that has phantomjs, casperjs, and Flask. If you plan on using other non-standard tools or libraries you should post on Piazza first to get permission from us, or include those tools/libs in your submission.

Submitting Your Project

If you have not done so already, register yourself for our grading system using the following command:

$ /course/cs6740sp15/bin/register-student [NUID]

NUID is your Northeastern ID number, including any leading zeroes.

Before turning in your project, you and your partner(s) must register your group. To register yourself in a group, execute the following script:

$ /course/cs6740sp15/bin/register project4 [team name]

This will either report back success or will give you an error message. If you have trouble registering, please contact the course staff. You and your partner(s) must all run this script with the same [team name]. This is how we know you are part of the same group.

To turn-in your project, you must submit your code along with a file named secrets.json that contains the secrets obtained from exploiting the services. Your secrets.json file and source code should all be placed in a directory. You submit your project by running the turn-in script as follows:

$ /course/cs6740sp15/bin/turnin project4 [project directory]

[project directory] is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing the secrets.json file. Only one group member needs to submit your project. Your group may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.

Grading

This project is worth 13 total points. Each individual secret flag is worth 13/3 points. We will randomly check student's code to make sure that it works correctly. All student code will be scanned by plagarism detection software to ensure that students are not copying code from the Internet or each other. Students who are caught cheating will receive a zero on the assignment, and will be reported to OSCCR.