GT CS 6262: Network Security
Project 2: Advanced Web SecuritySummer 2023
We recommend the latest Google Chrome for this project!
Objectives1. Attack a web application by exploiting its XSS vulnerabilities to infect its users as persistently as
possible.2. Exploit the XSS to launch a social engineering attack to trick a simulated user to give up its
credentials.3. Understand cookie management and how to secure your cookies.
Due DateYou can find the due date and how to turn in your solution in the Canvas assignment.
BackgroundAs a student of CS6262, you are invited to join the web security club. This club has an official website forsharing information and resources. As a prospective member, you need to deliver a pen-testing report onthe website and provide patches on what you find as a qualification test first.
The website is not complicated. It is a simple Content Management System with several features enabled,e.g. text search, dark mode, rich text editor, etc.
The website is https://cs6262.gtisc.gatech.edu. It integrates the GT Single-Sign-On service, so please signin with your GT account and it will create a user for you.
Before getting your hands dirtyLet’s first have a feel of what the website looks like. When you type cs6262.gtisc.gatech.edu in yourbrowser (we recommend the latest Google Chrome), the image below is what you will get. It has two postsintroducing its features. In the following instructions, you will be guided through the whole project.
GT CS 6262: Network Security
1. Sign in first.a. Click “Sign in”, the blue button on the top right corner. It will redirect you to Georgia Tech’s login
page.b. After sign-in, you will be directed to the homepage. At the top right corner, you can see your
username and a dropdown list, which means you have successfully logged in. Read the post of”Dark Mode Goes Live” to figure out how to use the theme feature.
2. You should read all the existing posts to find clues of how to exploit the XSS vulnerabilities of thewebsite.
3. The “My writeups” tab will only return your submissions which can be used to see your submittedposts for task 4.
4. The “Console” tab is the testing tab that will help you simulate other users and admins, receivingmessages. And one task also resides in that page. This is useful when you need others to click on
GT CS 6262: Network Securityyour links.a. Message Receiver Endpoint
i. This section gives you an endpoint to send/receive messages. That is necessary for XSSattacks. Attackers usually steal cookies and send them to their endpoints. You shoulduse the “POST” method to send messages to this endpoint. To view the receivedmessages, click the link and refresh when you need to receive a new one.
ii. This endpoint will be used for task 4 and task 5.
b. The User/Admin instance's running status tells the current running admin role and user roles.You can at most create one admin role and one user role.
To trigger an XSS attack on the admin side, fill in the URL of your post and submit to the adminrole. It will create or override the current running browser instance, which means when it’smessed up, you can submit a URL to override the current one.
To trigger an XSS attack on other users’ sides, fill in the URL of your malicious payload. Theuser instances also override the current one when you submit new URLs.
The admin instance will be used for task 4 and task 5.2. The user instance will be used fortask 5.3.
c. The ReDoS section lets you practice application layer DoS.
i. The server is a simple username and password verification website. Your passwordshould not contain the username, the whole string.When you are able to launch theReDoS attack, another request to this page will not respond as it should in a very short
GT CS 6262: Network Securitytime interval. When your attack succeeds, you should be able to see a hash string in theresult area. Note that the hash string is correct only when it is under a ReDoS attack.
ii. Bear in mind that toggle the ReDoS heartbeat when you see a hash string so you cancopy and paste. Because the result is refreshed every 10 seconds.
iii. Check “Restart the ReDoS instance” to launch the ReDoS server again when you feel likethe server is not responding to your submission.
d. The Information Theft section will show an input box when you are able to log in as an admin.As a regular user, you won’t be able to see this form. So, there are two approaches to accessthis form. However, it might be easier to go for approach 2.
Here are the two approaches.i. Login as admin by stealing admin’s session cookie. Unfortunately, the session cookie is
protected by the httpOnly flag which makes it invisible to JS. You may find other ways tosteal this cookie. But, our server is well configured to prevent this.
ii. Post your username and submit the form directly as admin. The form is protected byCSRF. Think of ways to find out the endpoint to submit to, read the CSRF token and sendthe post request.
Tasks and Grading RubricNote: Fill up the questionnaire and submit required files onto GradeScope.
Task 1. Basic HTML and JavaScript Test (5%)1. In this section we will introduce a few basic HTML and JavaScript knowledge to help you with other
tasks. It is for practice purposes. There will be no points in this section.
1.1 DevToolsModern browsers will provide DevTools for front-end developers to debug and tune theperformance when developing a website. Attackers can also use these tools to explore and collectinformation. Open your Chrome and press F12 to open the developer console. DevTools will popup.Here you can run JavaScript in the console, view the source html of the webpage, capture thenetwork traffic, and other functionalities. Try to explore it by yourself.
1.2 console.log()console.log() is commonly used to print information into the console of the developer tools fordebugging purposes. Open the devTool and type console.log(“yourGTID”); You can see your GTID isprinted in the console.
GT CS 6262: Network Security1.3 setIntervalsetInterval is used to fire a function given a frequency. It will return an intervalID which can bepassed to clearInterval to cancel the interval.
Question: Given a variable var counter = 5, make use of setInterval and clearInterval to reduce thecounter to 0 in every second and then stop. You can run your code in devTools to verify.
var counter = 5;
// Your code below
1.4 setTimeoutsetTimeout will fire a function after the delay milliseconds. The function will only be fired once.Similarly you can use the returned timeoutID and clearTimeout to cancel the timeout.
Question: Given a variable var counter = 5, make use of setTimeout to reduce the counter to 0 inevery second and then stop. You can run your code in devTools to verify.
var counter = 5;
// Your code below
1.5 PromiseA Promise is an object used for async operations in JavaScript. There are three states in a Promiseobject: Pending, Fulfilled, and Rejected. Once created, the state of the Promise object is pending. Sothe calling function will not be blocked and continue executing. The Promise object will eventuallybe fulfilled or rejected. Then the respective resolve or reject function will be called. Below is anexample of a Promise. Before running the code, can you tell what the output would be? Can youexplain why?
let testPromise = new Promise((resolve, reject) => {
setTimeout(()=>resolve(“Promise resolved”), 1000);
})
testPromise.then(message => {
console.log(message);
})
console.log(“Calling function”);
2. In this section, we will ask you 5 questions related to HTML and javascript. Each questioncontributes 1% of the total score. Please fill in your answers in the provided questionnaire.
2.1 B) C) D) All of above
GT CS 6262: Network Security2.2 In order for the tag to open a new tab/window when clicked, what value should you setfor the target attribute? (The answer should only contain the value itself). This is necessary fortask 5.3.
2.3 You will see three alerts after running the code below. Put the output in sequence. Theanswer should be 3 numbers separated by commas with no space, e.g. 1,1,1. Think about whythat is the case. You will use this technique in task 5.2.
for (var i = 0; i < 3; i++) {
const promise = new Promise((resolve, reject) => {
setTimeout(resolve, 1000 + i*1000)
});
promise.then(() => alert(i));
}
2.4 Which of the following can set jsScript as a string variable correctly? Understanding howHTML code is parsed is important. This question is related to task 3.
A) B) 'C) 'D) None of above
2.5 fetch is an Application Programming Interface (API) which makes use of promises to sendweb requests. It is supported by most major web browsers. Study the use of fetch API and try tomake a POST request to your Message Receiver Endpoint with the payload body being{“username”: “your-GT-username”}, e.g. {“username”: “abc123”}. Then, check yourmessage receiver endpoint again using your browser to see the response. It will be a hashstring. Copy this string into the questionnaire.
FAQQ. I submitted the hash I received from my endpoint, but the autograder said it was incorrect.What should I do?Please make sure that you have correctly set your username in the questionnaire.
Task 2. Exploit the Reflected-XSS (10%)Find where to exploit a reflected XSS and fill in the questionnaire URL by visiting which an alert shouldtrigger.
Concept ReviewReflective XSS is an attack where a website does not return requested data in a safe manner.Reflective is generally an XSS attack where the attacker sends the victim a link to a reputable website. BUT,this link contains malicious javascript code. For example,https://www.facebook.com/login?username=username&password=passwordIf the website returns the data in an unsafe manner (does not sanitize the output) and the victim clicks onthis link, then the malicious code will be executed in the context of the victim’s session.
RequirementsThe content of the alert doesn’t matter. For example,
GT CS 6262: Network Securityhttps://cs6262.gtisc.gatech.edu/endpoint…yourpayload is what you need to fill in the questionnaire.
The autograder will visit your URL. If it detects an alert, then you will receive full credit.
Tips1. You don’t need to log into the website to find this vulnerable point and exploit it.2. All inputs are malicious! Look for where you can type and try it with some alerts.
Deliverables1. A URL that includes the vulnerable endpoint and your alert payload.2. The alert should show the domain as below.
Rubric
Your URL is able to trigger an alert 10%
Your URL fails to trigger an alert 0%
Task 3. Evolve to Persistent Client Side XSS (15%)After finding the exploitable place from task 2, you understand you can infect others by sending them links.But sending links is costly and people may not click on them every time.
Therefore, instead of sending a link required in task 2, you find you can actually modify the payload and letthe payload live in this web app forever. As long as a user clicks on the link you send once, she is infectedpersistently unless the payload is cleared.
Concept ReviewAfter learning some types of XSS, you may think how I can make my attack as persistent as possible onthe client's side if the website doesn’t have a Stored-XSS vulnerability exposed to regular users.
As Web technology evolves, more and more applications start to focus on user experience. More and moreweb applications, including cross platform Electron applications, are taking over desktop applications.Some user's non-sensitive data is now stored on the client-side, especially the look and feel preferences ofan application, to let the App load faster by remembering the user's preferences without passing backsmall data chunks.
(You can learn more how prevalent this unsafe design is nowadays by reading the paper Don't Trust TheLocals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild)
Then, the variable is read by an unsafe sink, e.g. eval, element.innerHTML(data). Inspect what is storedlocally for the web application, cs6262.gtisc.gatech.edu, and how it is used.
Tools you may need:- F12 on the keyboard and go to Application tab to inspect the Storage as highlighted below
GT CS 6262: Network Security
— The Application tab provides you with a quick look at what local data is stored. That includes local
storage, cookies, etc.- The Sources tab provides you with static resources, like scripts, HTML, and CSS files. That is the
place you should focus on debugging JS code.
RequirementsNow, modify the payload in the link from task 2 and fill the updated URL in the questionnaire.
The autograder will first visit your URL (NO alert should pop up at this point). Then, it would close the pageand reopen to trigger your payload to run (One alert should pop up). Next, it refreshes the page withoutretriggering your payload (Another alert should pop up). Again, it should detect the alert twice. It shouldnot pop up an alert by only visiting your URL. (Namely, the alert should be triggered when the victim visitsany page on this website after reopening.)
Tips1. Read the post “Dark Mode” on the website.2. You may need to log into the website to find the vulnerable point and exploit it. More details are
described on the website.3. The vulnerability is exploitable even if the victim has not logged in.4. In this task, you don’t need to submit a post yet, which is for task 4.5. The default dark mode style sheet is “https://bootswatch.com/4/cyborg/bootstrap.min.css”. You
can reset it if you feel the website is messed up. Or, you can go to the Applicationtab->Application->Storage->Clear site data to reset everything.
Some more Tips
1. Your URL should NOT trigger any alerts when visiting it directly. And, you don’t need to trigger yourpayload to execute in your exploit code. The autograder will do that for you. This task is tryingNOT to draw the user’s attention (e.g. popups, alerts, and theme changing) when the user clicks onyour URL. The alerts are for grading purposes.
2. If your payload doesn’t work when you think it should, you can inspect the HTML element it createsand see if there’s anything incomplete. Look for where it is consumed. You can set a debugger tostep through the execution. https://www.w3schools.com/js/js_strings.asp may give a hint forthose who cannot fix the syntax error of your payload.
3. Remember to leverage task 2's result to inject your payload. When the page reloads, your payloadcan be read and executed.
Deliverables1. A URL that includes the vulnerable endpoint and your malicious payload.
GT CS 6262: Network Security
Rubric
1. Your URL is able to trigger an alert after reopen 7%
2. Your URL is able to trigger an alert after refresh 8%
Task 4. Exploit the Stored-XSS (20%)The website, https://cs6262.gtisc.gatech.edu, allows users to create articles. As a user, one needs tosubmit the post to a moderator who is the admin of the website for approval. This might be an interestingpoint to investigate whether you can inject something so when the admin is reviewing your post, therebyyou can hijack the admin’s login session. This website uses a rich text editor which not only enables styledcontent but sanitizes the user's input while preserving its style.
In this task, you will submit a post with an injected payload that launches XSS attached to an admin user.Then, you need to steal some information that is only visible to an admin.
Concept ReviewStored XSS is an attack where a website does not store data in a safe manner. An attacker could thenstore malicious code within the website's database. Said code could be executed whenever a user visitsthat website. So, a post for an admin’s approval seems like something you will be interested in. If you cansteal the admin’s login session cookie, you can login as her to see what she can see.
Recall from the lecture that when a cookie has httpOnly, it is not exposed to the document object. Thiscookie cannot be accessed by JavaScript. What would you need to do to read information out as thecookie’s owner?
This httpOnly flag is a good way to prevent JavaScript from reading sensitive cookies. However, it doesn’tmean it can mitigate XSS attacks. Attackers, having malicious scripts running in the victim’s browser, arestill able to send requests and forward the responses to themselves.
Even though the website is protected by CSRF tokens, attackers can still manage to post maliciouspayload pretending to be the user.
Requirements1. Exploit the rich text editor to inject another XSS payload. Such payloads should NOT trigger an alert
for a successful exploit. Your payload SHOULD set a global variable window.gotYou=true for theautograder to read.
2. You will steal admin’s cookies such that you can log in as admin to generate your unique hashstring. Or, if you cannot steal the session cookie, you need to find a workaround to get the hash still.You will need to use the Message Receiver Endpoint to receive the stolen information.
3. Please DO NOT put any comments in your final code submission.4. Please put a semicolon at the end of each statement.
Workflow1. Log into the website with your own credentials.2. Inspect your session cookie to check if it has httpOnly set.
a. If not, an XSS payload can steal it, so you can log into the website as another one.b. If yes, you need to find another way to get the hash.
3. Create a new post and find the vulnerable point of the editor. The editor has two modes.a. “What you see is what you got” mode. Try to type in some inputs and see how the editor deals
with them.
GT CS 6262: Network Securityb. “Code editing” mode. Try to type in some JS code with