GT CS 6262 网络安全

【GT CS 6262 网络安全】GT CS 6262: Network Security
Project 3 : Advanced Web
Security
Fall 2021
The latest Chrome browser is highly recommended for this project
Objectives

  1. Attack a web application by exploiting its XSS vulnerabilities to infect its users as persistently as
    possible.
  2. Exploiting the XSS to launch a social engineering attack to trick a simulated user to give up its
    credentials.
  3. Understand cookie management and how to secure your cookies.
  4. Understand the concepts of Same Origin Policy (SOP), Cross Origin Resource Sharing (CORS), and
    Content Security Policy (CSP).
  5. Report the frontend vulnerabilities.
    Due Date
    Please refer to the Canvas assignment for how to submit your solution and due date.
    You will only have 10 chances to submit your solution onto GradeScope.
    Background
    As a student of CS6262, you are invited to join the web security club. This club has an official website
    for sharing information and resources. As a prospective member, you need to deliver a pentesting
    report on the website and provide patches on what you find as a qualification test first.
    The website is not complicated. It is a simple Content Management System with several features
    enabled, e.g. text search, dark mode, rich text editor, etc.
    The website is https://cs6262.gtisc.gatech.edu. It integrates the GT Single Sign On service, so please
    sign in with your GT account and it will create a user for you.
    Before getting your hands dirty
    Let’s first have a feel of what the website looks like. When you type cs6262.gtisc.gatech.edu in your
    browser (the latest Chrome is recommended), the image below is what you will get. It has two posts
    introducing its features. In the following instructions, you will be guided through the whole project.
    GT CS 6262: Network Security
  6. Sign in first.
    a. Click “Sign in”, the blue button on the top right corner. It will redirect you to Georgia Tech’s
    login page.
    b. After sign-in, you will be directed to the homepage. At the top right corner, you can see your
    username and a dropdown list, which means you have successfully logged in. Read the
    post of “Dark Mode Goes Live” to figure out how to use the theme feature.
  7. You should read through all the existing posts to find clues of how to exploit the XSS vulnerabilities
    of the website.
  8. The “My writeups” tab will only return your submissions which can be used to see your submitted
    posts for task 4.
  9. The “Console” tab is the testing tab that will help you simulate other users and admins, receiving
    messages. And one task also resides in that page. This is useful when you need others to click on
    GT CS 6262: Network Security
    your links.
    a. Message Receiver Endpoint
    i. This section gives you an endpoint to send/receive messages. That is necessary for
    XSS attacks. Attackers usually steal cookies and send them to their endpoints. You
    should use the “POST” method to send messages to this endpoint. To view the
    received messages, click the link and refresh when you need to receive a new one.
    ii. This endpoint will be used for task 4 and task 5.
    b. The User/Admin instances running status tells the current running admin role and user
    roles. You can at most create one admin role and one user role.
    In order to trigger an XSS attack on the admin side, fill in the URL of your post and submit to
    the admin role. It will create or override the current running browser instance, which
    means when it’s messed up, you can submit a URL to override the current one.
    In order to trigger an XSS attack on other users’ sides, fill in the URL of your malicious
    payload. The user instances also override the current one when you submit new URLs.
    The admin instance will be used for task 4 and task 5.2. The user instance will be used
    for task 5.3.
    c. The ReDoS section lets you practice application layer DoS.
    i. The server is a simple username and password verification website. Your password
    should not contain the username, the whole string. When you are able to launch
    the ReDoS attack, another request to this page will not respond as it should in a very
    GT CS 6262: Network Security
    short time interval. When your attack succeeds, you should be able to see a hash
    string in the result area. Note that the hash string is correct only when it is under a
    ReDoS attack.
    ii. Bear in mind that toggle the ReDoS heartbeat when you see a hash string so you
    can copy and paste. Because the result is refreshed every 10 seconds.
    iii. Check “Restart the ReDoS instance” to launch the ReDoS server again when you feel
    like the server is not responding to your submission.
    d. The Information Theft section will show an input box when you are able to login as an
    admin. As a regular user, you won’t be able to see this form. So, there are two approaches
    to access this form. However, it might be easier to go for approach 2.
    Here are the two approaches.
    i. Login as admin by stealing admin’s session cookie. Unfortunately, the session
    cookie is protected by the httpOnly flag which makes it invisible to JS. You may find
    other ways to steal this cookie. But, our server is well configured to prevent this.
    ii. Post your username and submit the form directly as admin. The form is protected
    by CSRF. Think of ways to find out the endpoint to submit to, read the CSRF token
    and send the post request.
    Tasks and Grading Rubric
    Note: Fill up the questionnaire and submit required files onto GradeScope.
    Task 1. Basic HTML and JavaScript Test (5%)
  10. In this section we will introduce a few basic HTML and JavaScript knowledge to help you
    with other tasks. It is for practice purposes. There will be no points in this section.
    1.1 DevTools
    Modern browsers will provide DevTools for frontend developers to debug and tune the
    performance when developing a website. It can also be used by attackers to explore and
    collect information. Try pressing F12 in the Chrome browser. DevTools will popup. Here you
    can run javascript in the console, view the source html of the webpage, and capture the
    network traffic. It provides many functionalities. Try to explore it by yourself.
    1.2 console.log()
    console.log() is commonly used to print information into the console of the developer tools
    for debugging purposes. Open the devTool and type console.log(“yourGTID”); You can see
    your GTID is printed in the console.
    GT CS 6262: Network Security
    1.3 setInterval
    setInterval is used to fire a function given a frequency. It will return an intervalID which can
    be passed to clearInterval to cancel the interval.
    Question: Given a variable var counter = 5, make use of setInterval and clearInterval to
    reduce the counter to 0 in every second and then stop. You can run your code in devTools
    to verify.
    var counter = 5;
    // Your code below
    1.4 setTimeout
    setTimeout will fire a function after the delay milliseconds. The function will only be fired
    once. Similarly you can use the returned timeoutID and clearTimeout to cancel the timeout.
    Question: Given a variable var counter = 5, make use of setTimeout to reduce the counter
    to 0 in every second and then stop. You can run your code in devTools to verify.
    var counter = 5;
    // Your code below
    1.5 Promise
    A Promise is an object used for async operations in JavaScript. There are three states in a
    Promise object: Pending, Fulfilled, and Rejected. Once created, the state of the Promise
    object is pending. So the calling function will not be blocked and continue executing. The
    Promise object will eventually be fulfilled or rejected. Then the respective resolve or reject
    function will be called. Below is an example of a Promise. Before running the code, can you
    tell what the output would be? Can you explain why?
    let testPromise = new Promise((resolve, reject) => {
    setTimeout(()=>resolve("Promise resolved"), 1000);
    })
    testPromise.then(message => {
    console.log(message);
    })
    console.log("Calling function");
  11. In this section we will ask you 5 questions related to HTML and javascript. Each
    question contributes 1% of the total score. Please fill in your answers in the
    provided questionnaire.
    2.1
    B)
    C)
    D) All of above
    GT CS 6262: Network Security
    2.2 In order for the tag to open a new tab/window when clicked, what value should
    you set for the target attribute? (The answer should only contain the value itself). This is
    necessary for task 5.3.
    2.3 You will see three alerts after running the code below. Put the output in sequence. The
    answer should be 3 numbers separated by commas with no space, e.g. 1,1,1. Think
    about why that is the case. You will use this technique in task 5.2.
    for (var i = 0; i < 3; i++) {
    const promise = new Promise((resolve, reject) => {
    setTimeout(resolve, 1000 + i*1000)
    });
    promise.then(() => alert(i));
    }
    2.4 Which of the following can set jsScript as a string variable correctly? Understanding
    how HTML code is parsed is important. This question is related to task 3.
    A)
    B) '
    C)
    D) None of above
    2.5 fetch is an api which makes use of promises to send web requests. It is supported by
    most major web browsers. Study the use of fetch api and try to make a POST request to
    your Message Receiver Endpoint with the payload body being {username:
    your-GT-username}, e.g. {username: abc123}. Then, check your message receiver
    endpoint again to see the response. It will be a hash string. Copy this string into the
    questionnaire.
    Task 2. Exploit the Reflected-XSS (8%)
    Find where to exploit a reflected XSS and fill in the questionnaire a URL by visiting which an alert
    should trigger.
    Concept Review
    Reflective XSS is an attack where a website does not return requested data in a safe manner.
    Reflective is generally an XSS attack where the attacker sends the victim a link to a reputable
    website. BUT, this link contains malicious javascript code. For example,
    https://www.facebook.com/logi...
    If the website returns the data in an unsafe manner (does not sanitize the output) and the victim
    clicks on this link, then the malicious code will be executed in the context of the victim’s session.
    Requirements
    The content of the alert doesn’t matter. For example,
    https://cs6262.gtisc.gatech.e... is what you need to fill in the
    questionnaire.
    GT CS 6262: Network Security
    The autograder will visit your URL, If it detects an alert, then you will receive full credit.
    Tips
  12. You don’t need to log into the website to find this vulnerable point and exploit it.
  13. All inputs are malicious! Look for where you can type and try it with some alerts.
    Deliverables
  14. A URL which includes the vulnerable endpoint and your alert payload.
  15. The alert should show the domain as below.
    Rubric
    Your URL is able to trigger an alert 8%
    Your URL fails to trigger an alert 0%
    Task 3. Evolve to Persistent Client Side XSS (12%)
    After finding the exploitable place from task 2, you understand you can infect others by sending
    them links. But sending links is costly and people may not click on them every time.
    Therefore, instead of sending a link required in task 2, you find you can actually modify the
    payload and let the payload live in this web app forever. As long as a user clicks on the link you
    send once, she is infected persistently unless the payload is cleared.
    Concept Review
    After learning some types of XSS, you may think how I can make my attack as persistent as
    possible on the client's side if the website doesn’t have a Stored-XSS vulnerability exposed to
    regular users.
    As Web technology evolves, more and more applications start to focus on user experience. More
    and more web applications, including cross platform Electron applications, are taking over
    desktop applications. Some user's non-sensitive data is now stored on the client side, especially
    the look and feel preferences of an application, to let the App load faster by remembering the
    user's preferences without passing back small data chunks.
    You can learn more how prevalent this is nowadays by reading the paper Don't Trust The Locals:
    Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild
    Then, the variable is read by an unsafe sink, e.g. eval, element.innerHTML(data).
    Inspect what is stored locally for the web application, cs6262.gtisc.gatech.edu, and how it is
    used.
    Tools you may need:
  16. F12 on the keyboard and go to Application tab to inspect the Storage as highlighted below
    GT CS 6262: Network Security
    -
  17. The Application tab provides you with a quick look at what local data is stored. That
    includes local storage, cookies, etc.
  18. The Sources tab provides you with static resources, like scripts, html, and CSS files. That is
    the place you should focus on debugging JS code.
    Requirements
    Now, modify the payload in the link from task 2 and fill the updated URL in the questionnaire.
    The autograder will first visit your URL to trigger your XSS payload to run. Then, it would close the
    page and reopen, refresh. So, it should detect the alert twice. It should not pop up an alert by only
    visiting your URL.
    Tips
  19. Read the post “Dark Mode” on the website.
  20. You may need to log into the website to find the vulnerable point and exploit it. More details
    are described on the website.
  21. The vulnerability is exploitable even if the victim has not logged in.
  22. In this task, you don’t need to submit a post yet, which is for task 4.
  23. The default dark mode style sheet is
    "https://bootswatch.com/4/cyborg/bootstrap.min.css". You can reset it if you feel the
    website is messed up. Or, you can go to the Application tab->Application->Storage->Clear
    site data to reset everything.
    FAQ
  24. Your URL should NOT trigger any alerts when visiting it directly. And, you don’t need to
    trigger your payload to execute. The autograder will do that for you. This task is trying NOT
    to draw the user’s attention (e.g. popups, alerts, and theme changing) when the user clicks
    on your URL. The alerts afterwards are for grading purposes.
  25. If your payload doesn’t work when you think it should, you can inspect the HTML element it
    creates and see if there’s anything incomplete. Look for where it is consumed. You can set
    a debugger to step through the execution. https://www.w3schools.com/js/...
    may give a hint for those who cannot fix the syntax error of your payload.
  26. Remember to leverage task 2's result to inject your payload. When the page reloads, your
    payload can be read and executed.
    Deliverables
  27. A URL which includes the vulnerable endpoint and your malicious payload.
    GT CS 6262: Network Security
    Rubric
  28. Your URL is able to trigger an alert after reopen 6%
  29. Your URL is able to trigger an alert after refresh 6%
    Task 4. Exploit the Stored-XSS (20%)
    The website, https://cs6262.gtisc.gatech.edu, allows users to create articles. As a user, one
    needs to submit the post to a moderator who is the admin of the website for approval. This might
    be an interesting point to investigate whether you can inject something so when the admin is
    reviewing your post, thereby you can hijack the admin’s login session. This website uses a rich text
    editor which not only enables styled content, but sanitizes the user's input while preserving its
    style.
    In this task, you will submit a post with an injected payload that launches XSS attached to an
    admin user. Then, you need to steal some information that is only visible to an admin.
    Concept Review
    Stored XSS is an attack where a website does not store data in a safe manner. An attacker could
    then store malicious code within the website's database. Said code could be executed whenever a
    user visits that website. So, a post for an admin’s approval seems like something you will be
    interested in. If you can steal the admin’s login session cookie, you can login as her to see what
    she can see.
    Recall from the lecture that when a cookie has httpOnly, it is not exposed to the document object.
    That is to say, this cookie is not accessible to JavaScript. What would you need to do to read
    information out as the cookie’s owner?
    This httpOnly flag is a good way to prevent JavaScript from reading sensitive cookies. However, it
    doesn’t mean it can mitigate XSS attacks. Attackers, having malicious scripts running in the
    victim’s browser, are still able to send requests and forward the responses to themselves.
    Even though the website is protected by CSRF tokens, attackers can still manage to post
    malicious payload pretending to be the user.
    Requirements
  30. Exploit the rich text editor to inject another XSS payload. Such payloads should NOT trigger
    an alert for a successful exploit. Your payload SHOULD set a global variable
    window.gotYou=true for the autograder to read.
  31. You will steal admin’s cookies such that you can login as admin to generate your unique
    hash string. Or, if you cannot steal the session cookie, you need to find a workaround to get
    the hash still. You will need to use the Message Receiver Endpoint to receive the stolen
    information.
  32. Please DO NOT put any comments in your final code submission.
  33. Please put a semicolon at the end of each statement.
    Workflow
  34. Log into the website with your own credentials.
  35. Inspect your session cookie to check if it has httpOnly set.
    a. If not, an XSS payload can steal it, so you can log into the website as another one.
    b. If yes, you need to find another way to get the hash.
  36. Create a new post and find the vulnerable point of the editor. The editor has two modes.
    GT CS 6262: Network Security
    a. “What you see is what you got” mode. Try to type in some inputs and see how the
    editor deals with it.

    推荐阅读