Part 1 (Attacks A, B, C) due: Tuesday, Nov. 19, 23:59
Part 2 (Attacks D, E) due: Tuesday, Nov. 26, 23:59
For clarifications and hints, see the FAQ, originally developed for Stanford CS 155.
Setting up Boxes on your own machine: Download the BoxesX virtual machine image, BoxesX.ova (warning: 600 MB!). Note that this is not the same VM image as the one in previous projects, so you should not use those VMs. The ova file should load into VirtualBox. Once the BoxesX VM is running, you will want to start X and run the Iceweasel browser, as described below.
The Web server serving the Zoobar site you will be attacking is hosted inside the VM. (If you try to connect to zoobar.org outside the VM, you will get Stanford’s site, which you should not try to interact with.) Furthermore, the Web browser you’ll use to develop and test your attacks is also hosted inside the VM. It is called Iceweasel.
Iceweasel is the Debian version of Firefox—essentially the same browser, but with a different name because of licensing issues. To start iceweasel in BoxesX, log in as user, and do the following:
startx
command. This will start the X Windowing System, and a new window will be displayed with a xterm (shell) where you can enter commands. (Click the mouse to place the window.)iceweasel &
within the newly displayed xterm. This will open the Iceweasel browser. (Again, click the mouse to place the window.)http://zoobar.org/
to connect to the Zoobar site.The easiest way to access your VM from the host computer is with SSH. VirtualBox’s networking rules do not by default allow incoming connections to the VM, but you can set up a port forwarding rule, as follows. In the settings window for the BoxesX VM, choose the “Network” tab, then show the “Advanced” options, and click the “Port Forwarding” button to bring up the port forwarding rules dialog.
In this dialog, you should see a rule binding port 8024 of localhost (127.0.0.1) on the host to port 22 on the VM. If this rule is not present, or if you would like to use a different port on the host, you can change the configuration and click OK.
With port forwarding enabled, you can SSH into your VM using a command like “ssh user@localhost -p 8024
”.
Note that if you also used port forwarding on port 8024 for project 2, SSH will get very upset, because the new VM’s key is different and SSH suspects a man-in-the-middle attack. It will tell you what line in ~/.ssh/known_hosts
is responsible, and you can delete this line and try again.
As with any project, you will want to make and keep frequent backups of your work. If you are developing your code in user
’ home directory inside the VM, then an easy way to back this directory up is with the rsync
command.
Suppose you have set up port forwarding so that port 8024 on the host forwards to port 22 on the VM. And suppose you’d like to back up into a directory called bkp123
in your home directory. Run the following command on the host:
rsync -av -e "ssh -p 8024" user@localhost:/home/user/ ~/bkp123/
If you run this command again later it will update the contents of bkp123
to match the contents of user
’s home directory.
To restore from backup, run the following command, again from the host:
rsync -av -e "ssh -p 8024" ~/bkp123/ user@localhost:/home/user/
The fictional “Zoobar Foundation” has set up a simple Web application at zoobar.org
(inside the BoxesX VM), allowing registered users to post profiles and transfer “zoobar” credits between each other. Each registered user starts with 10 zoobars.
You will craft a series of attacks on zoobar.org
that exploit vulnerabilities in the Website’s design. Each attack presents a distinct scenario with unique goals and constraints, although in some cases you may be able to reuse parts of your code.
Although many real-world attackers do not have the source code for the Websites they are attacking, you are one of the lucky ones: you can find the source code under /var/zoobar/www
in the BoxesX VM.
The zoobar server is actually run locally on each of your boxes. We will run your attacks after wiping clean our own local database of registered users (except the user named "attacker"). Of course this means that any data you have added while working on the assignment will not be present during grading.
Browser: We will grade your project within the BoxesX VM, using the Iceweasel browser. which is installed in the Boxes. Therefore, you should test your code in the boxes on this browser. Iceweasel is essentially the same browser as Firefox, but under different branding. Anything that works in iceweasel will likely work in (the same version of) Firefox as well.
There are subtle quirks in the way HTML and JavaScript are handled by different browsers, and some attacks that work in Internet Explorer (for example) may not work in Firefox (and therefore in Iceweasel). In particular, you should use the Mozilla way of adding listeners to events.
Email script. For Attacks A and D, you will need a server-side script to automatically email information captured by your client-side JavaScript to your user account within the Boxes. We have provided this script for you. Please review the instructions at http://zoomail.org/sendmail.php
(open this url from within the Boxes VM) and use that URL in your attack scripts to send emails. Again, this server is also being run locally on your own boxes machine. To check your local email use the mutt email client (type mutt in the shell to start the client, and follow the instructions).
http://zoobar.org/users.php?
zoobar.org
before loading your URL.http://zoomail.org/sendmail.php
email script.http://zoobar.org/users.php
. No changes to the site appearance or extraneous text should be visible. Avoiding the red warning text is an important part of this attack. (It’s ok if the page looks weird briefly before correcting itself.)http://zoobar.org/users.php?user=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
to use as a starting point.zoobar.org
before loading your page.attacker
” account. The browser should be redirected to https://www.cs.jhu.edu/~s/teaching/cs460/2013-fall/
as soon as the transfer is complete (so fast the user might not notice).zoobar.org
at any point.zoobar.org
before loading your page.zoobar.org
as the user whose name was typed in the text field. The browser’s location bar should be redirected to http://zoobar.org/index.php
, and the page should look and behave exactly as if the grader had instead typed the username and corresponding password in the legitimate zoobar.org
login form.zoobar.org
PHP code handles the user login and registration, and how does it interface with the SQLite database?zoobar.org
before loading your page.http://zoobar.org/
. The grader will enter a username and password and press the “Log in” button.http://zoomail.org/sendmail.php
e-mail script.htmlspecialchars()
to sanitize the reflected username, but something is not quite right.attacker
” (that’s an actual username) and replaces the profile of the current user with itself.http://zoobar.org/users.php?user=username
, where username
is the user whose profile is being viewed. The visitor should not see any extra graphical user interface elements (e.g., frames), and the user whose profile is being viewed should appear to have 10 zoobars.Create files named a.txt
, b.html
, c.html
, d.html
, and e.txt
, containing each of your five attacks. You may include a separate README
file. (We would appreciate any feedback you may have on this assignment). As before, you will tar up the appropriate files for each part and submit the tarball.
The last two attacks are harder than the first three. We encourage you to start early!
Each attack is worth up to 4 points. The entire project will be graded out of 20.
Beware of Race Conditions: Depending on how you write your code, all five of these attacks could potentially have race conditions that affect the success of your attacks. Attacks that fail on the grader’s browser during grading will receive less than full credit. To ensure that you receive full credit, you should wait after making an outbound network request rather than assuming that the request will be sent immediately.
This is Project 2 from Stanford’s CS 155, Computer and Network Security. Thanks to Dan Boneh, John Mitchell, Collin Jackson, and the 155 TAs.