Projects / Web SecurityWeb Security ProjectLearning Goals of this Project:You will be learning about modern web based security vulnerabilities in this project. A majority of the attacks are based on the OWASP Top 10 list which is produced and updated every few years.In particular we will cover these learning topics:The final deliverables:A single JSON formatted file will be submitted to Gradescope.See Submission Details for more information.Important Reference Material:Submission:Gradescope (autograded) – see Submission Details1 of 2 11/17/2024, 10:34 AM Web Security | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…Virtual Machine:Apple M1 based systemsYou cannot complete this project on an M1 based system.Intel/AMD x64 versionTABLE OF CONTENTSProject BackgroundFlag 1Flag 2Flag 3Flag 4SubmissionCS 6035Projects / Web Security / Project BackgroundBACKGROUND:Welcome to the GA Tech bookstore website. It’s a place where you can read and review all of the classics. The creators of the website were pretty junior but ambitious. They created the website in only 2 days! They knew a few things about security and did their best but left some vulnerabilities behind. Your job is to seek these out and find the problems.SETUP:To get set up for the flags, carefully follow the steps below. Log into the VM with the websec user. The password should be in CanvasRun this at the terminal to start the Bookstore Website./StartContainer.shhttp://localhost:7149/databaseTESTING:You will need to execute a StudentGrader script to test your exploits for all flags. The StudentGrader is a script that willa Here is a link just in case you’re interested in learning more about the Selenium Chrome driver. Understanding this is not required to be successful on this project. b Chrome Driver DocsRun this at the terminal to test your exploit for a flag./StudentGrader.sh –flag X –gaTechId Y –filePath ZHere are the valid parameters for the StudentGrader scriptCS 6035You’ve stumbled upon a publicly available web page that is not finished. It seems like the developers are still working on it but somehow published it to production by accident. The page does not have a link in the main menu so the developers thought no one would find it. Challenge accepted!Download the required starter template from the VM using Chrome here:To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:3• In the getStudentAnswers function, write JavaScript code to programmatically fetch the• following values and set them to the provided variables:The value provided in the Organization text boxThe radio button value selected in the “Please reply by” sectionThe value of the session storage with key = “contactedBefore”HINTS:Often times, websites will publish sitemaps that contain page URLs. Hint: find and inspect the sitemap contents.Are you using AJAX to fetch server content? You’re headed down a wrong path. Examine ALL JavaScript available to the page and use this hint from above to continue forward: “fetch the server content”.Use the Chrome dev tools to Inspect html elements. The “Elements” tab shows a graph of the entire html domThe Network tab allows you to see the raw http requests between the browser and serverDo not hard code any values except the cookie name and value detailed above. We check for this in your file and it will fail the grader.Getting Selenium errors about missing content? Try to open the file directly in Chrome and look for errors in the console.FLAG TESTING:To test your flag1.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. websec@cs6035:~$ ./StudentGrader.sh –flag 1 –gaTechId 923456789 –filePath /home/websec/Desktop/flag1 Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag1 in project_websecurity.json.CS 6035Congratulations, you’ve made it this far! Now you’ve noticed some strange behavior. You were experimenting with reviews and found you can post basic html tags and images in the reviews!The developers of the site wanted reviews to be a rich user experience and not just plain text. With great power comes great responsibility though. You’ve found a way to nefariously inject code that runs when any victim loads a page with your exploited review.This flag will introduce you to the basics of XSS (Cross-Site Scripting) attacks. Specifically you’ll leverage these:Download from the WebSec VM the required starter template here:To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader.1 Create a nefarious review for the book Hamlet:2• The review should contain a script that you craft. This script will execute anytime the review loads in a browser. It will execute for anyone and everyone, very dangerous! You are not a bad hacker out to make money so you only want to make an example and not do real damage.the text).Site With Original TextSite With Text ReplacedNote: Your script must not change the structure of the “h5” tag. Only replace the text contained within the “h5” tag.After creating the review with the nefarious code, your file must redirect (load) the details page for Hamlet.HINTS:Tackle the problem in small parts and then layer in complexity. You can test some of your code exploits directly in the bookstore website before compiling it into the templateThere are some features in React that should set off red flags. Ex: https://legacy.reactjs.org/ docs/dom-elements.html#dangerouslysetinnerhtmlUse the Chrome dev tools to watch what happens outside of an attack. The Network tab should give clues. The “Preserve Log” checkbox is your friend.You will need to write JavaScript. Some of this code will execute immediately in your flag2.html file while the remaining part of the code should not be executed but instead be injected into the review somehow to run later.The developers knew about XSS and put some protections in place. It would be helpful to find and understand this as you may need to defeat it.You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.FLAG TESTING:To test your flag2.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. websec@cs6035:~$ ./StudentGrader.sh –flag 2 –gaTechId 923456789 –filePath /home/websec/Desktop/flagNote: The grading script will reset the database before it executes your file. Be prepared as any data you have created will be lost.Your web output will look similar to this:The grader from the output will look similar to this. Copy the flag to flag2 in project_websecurity.json.CS 6035Malicious user input can be provided using the same techniques, but through different attack vectors. You’ve already persisted malicious data in a review and want to see if there are any other areas of the site that are susceptible to data manipulation. Using your newly acquired XSS skills, you go hunting for more ways to perform this method of attack.In order to successfully exploit another XSS attack, you will need to figure out another way the site accepts user input and employ a similar technique to perform what’s called a reflected XSS attack. This means the XSS code does not reside in the webpage and does not persist, but is malicious code input in the request and returned in the response. You notice there is a page that allows the user to search for a book and wonder if this page can be exploited.Your goal is to display a javascript alert containing the text CS6035 on the search page.You can use the same XSS resources from the previous flag in addition to reflected XSS resources:Download from the WebSec VM the required starter template here:To earn this flag by performing the following steps:HINTS:FLAG TESTING:A successful attack looks similar to this screenshot:To test your flag3.html file and receive the flag, run this command at the command line: websec@cs6035:~$ ./StudentGrader.sh –flag 3 –gaTechId 923456789 –filePath /home/websec/Desktop/flagThe grader from the output will look similar to this. Copy the flag to flag3 in project_websecurity.json.Flag 4 | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…Congratulations on reaching this stage! You’ve already navigated through various challenges, and now it’s time to delve into the intricacies of Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that tricks a user into submitting a request to a web application where they are authenticated without their knowledge or intent. This can lead to unauthorized actions being performed on behalf of the user.For further exploration and a deeper understanding of CSRF and its prevention, consider the following resources:You’ve learned of a vulnerability that exists on the bookstore website. It appears you can craft an html file that resets a user’s password to one of your choosing when they open it. You plan to embed this file in an email and see who actually clicks on it. They’ll never know!Download from the WebSec VM the required starter template here:You must reset an unsuspecting user’s password to TheGreyGoose21 Note: You will not know who the user is so your crafted html file should work for any user of the website.Earn this flag by performing the following steps:1 of 2 11/17/2024, 10:35 AM Flag 4 | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…3 The new tab will open and automatically reset the user’s password to TheGreyGoose21Hints:Use Chrome dev tools to watch what happens outside of an attack. The Elements, Sources, and Network tab should be helpful.The developers knew about CSRF and put some protections in place. Understanding where these protections are and how they work is the key to exploiting them.You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.Be sure to pass the GTID as a string and not an intFLAG TESTING:To test your flag4.html file and receive the flag, run this command at the command line: websec@cs6035:~$ ./StudentGrader.sh –flag 4 –gaTechId 923456789 –filePath /home/websec/Desktop/flagThe grader from the output will look similar to this. Copy the flag to flag4 in project_websecurity.json.
Shopping Cart
Reviews
There are no reviews yet.