BACKGROUND:

Welcome to the GA Tech bookstore website. It’s a place where you can read and review all of the classics. The creators of the website were pretty junior but ambitious. They created the website in only 2 days! They knew a few things about security and did their best but left some vulnerabilities behind. Your job is to seek these out and find the problems.

SETUP:

To get set up for the flags, carefully follow the steps below. Log into the VM with the websec user.

The password should be in Canvas.

Run this at the terminal to start the Bookstore Website

./StartContainer.sh

• Throughout the project you should only use Chrome. No other browsers are supported for the student grader. Don’t attempt to update/reinstall the Chrome Browser.
• Navigate to this URL using Chrome within the VM to access the Bookstore Website: http://localhost:7149/
• There is one registered user in the database. You can log in as this user as needed. You can log out by closing the Chrome window.
• GTID: Your assigned GTID# (e.g. 923456789)
• Note: This field will remain the same for the entire project.
• See the Required Reading page to get your GTID.
• Username: ilovetoread
• Password: TheGreatGatsby123
• The Bookstore Website uses a database to store data. In some cases you may find the need to reset this database. There are also times when the student grader will reset the database before running your exploit. To do this manually navigate to this URL and click the button to reset the database:
• http://localhost:7149/database

TESTING:

You will need to execute a StudentGrader script to test your exploits for all flags. The StudentGrader is a script that will

• Launch the html file that you craft for your flag.
• On some flags the Bookstore Database will be reset automatically.
• Use the Selenium Chrome Driver to test and assert that your exploit worked correctly.
  • Here is a link just in case you’re interested in learning more about the Selenium Chrome driver. Understanding this is not required to be successful on this project.
  • Chrome Driver Docs
• If successful, it will return your flag.

Run this at the terminal to test your exploit for a flag

./StudentGrader.sh –flag X –gaTechId Y –filePath Z

Here are the valid parameters for the StudentGrader script

You will be learning about modern web based security vulnerabilities in this project. A majority of the attacks are based on the OWASP Top 10 list which is produced and updated every few years.

In particular we will cover these learning topics:

• Basic web technologies, HTML, CSS & JavaScript
• The HTTP protocol
• XSS (Cross-Site Scripting) Attacks
• XSRF (Cross-Request Forgery)
• SQLi (Sql Injection Attacks)
• Mis-configuration of server side web servers
• Client-side JavaScript library vulnerabilities

The final deliverables:

A single JSON formatted file will be submitted to Gradescope.

See Submission Details for more information.

Important Reference Material:

• Representational State Transfer
• JSON
• Eloquent Javascript
• HTML Forms

Virtual Machine:

• Apple M1 based systems
• You cannot complete this project on an M1 based system.
• Intel/AMD x64 version

TABLE OF CONTENTS

• Project Background
• Flag 1
• Flag 2
• Flag 3
• Flag 4
• Flag 5
• Flag 6
• Submission

Flag 1: Web Intro – 15 Points

You’ve stumbled upon a publicly available web page that is not finished. It seems like the developers are still working on it but somehow published it to production by accident. The page does not have a link in the main menu so the developers thought no one would find it. Challenge accepted!

• This flag will introduce you to the very basics of web development technologies and tools for debugging. Specifically you’ll leverage these:
• Html Forms
• JavaScript Events
• CSS Selectors
• Cookies
• The Chrome Developer Tools

Download the required starter template from the VM using Chrome here:

• Flag 1 Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:

• Find the Contact Us web page. Remember that you won’t find a link in the main navigation.
• Now that you have the URL to the Contact Us web page you need to “fetch the server content” in the flag1.html file.
  • Double click to open flag1.html in Chrome
  • Launch the Chrome developer tools using the menu in Chrome
  • Do some independent research on how you may find and look at JavaScript code using the Chrome developer tools
  • Write some JavaScript code in your flag1.html file to load up the Contact Us page.
• In the getStudentAnswers function, set var selectedReplyByValue = “Cell”;
• In the getStudentAnswers function, write JavaScript code to programmatically fetch the following values and set them to the provided variables:
  • The value provided in the Organization text box
  • The value of the session storage with key = “contactedBefore”
• The Contact Us web page sets one or more cookies. Unfortunately, it won’t show up for you to access using JavaScript. That won’t stop you from learning the value. Use the Chrome Dev tools to search for http requests and find the cookie name and value set by the Contact Us web page. Assign these to the variables provided in flag1.html as hard-coded strings. Note: There may be more than one cookie so find the one that is actually set by the Contact Us page or simply try all values by trial and error.
  • While copying the cookie Value make sure you have the Show URL-decoded option checked
• Events are an extremely important concept to understand when working with websites. They allow you to execute code at a later time when something interesting happens.
  • Write code that will set the City text input to Seattle and the State text input to Washington
  • Somehow delay this code so that it only executes when the submit button at the bottom is clicked.
  • Note: We’re not asking you to click the button either using code or manually on the webpage.

HINTS:

• Often times, websites will publish sitemaps that contain page URLs. Hint: find and inspect the sitemap contents.
• Are you using AJAX to fetch server content? You’re headed down a wrong path. Examine ALL JavaScript available to the page and use this hint from above to continue forward: “fetch the server content”.
• Use the Chrome dev tools to Inspect html elements. The “Elements” tab shows a graph of the entire html dom
• The Network tab allows you to see the raw http requests between the browser and server
• Do not hard code any values except the cookie name and value detailed above. We check for this in your file and it will fail the grader.
• Getting Selenium errors about missing content? Try to open the file directly in Chrome and look for errors in the console.

FLAG TESTING:

To test your flag1.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 1 –gaTechId 923456789 –filePath /home/websec/Desktop/flag1.html Your web output will look similar to this:

 

Flag 2: XSS Part I – 20 Points

Congratulations, you’ve made it this far! Now you’ve noticed some strange behavior. You were experimenting with reviews and found you can post basic html tags and images in the reviews! The developers of the site wanted reviews to be a rich user experience and not just plain text. With great power comes great responsibility though. You’ve found a way to nefariously inject code that runs when any victim loads a page with your exploited review.

This flag will introduce you to the basics of XSS (Cross-Site Scripting) attacks. Specifically you’ll leverage these:

• OWASP XSS Page
• Types of Cross Site Scripting
• Wikipedia XSS Page

Download from the WebSec VM the required starter template here:

• Flag 2 Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader.

• Create a nefarious review for the book Hamlet:
  • The title of the review should be “I bet some cookies may be at the top”
  • The rating should be 3
  • Recommended should be true
  • The reviewer should be your GTID (ex: 923456789)
• The review should contain a script that you craft. This script will execute anytime the review loads in a browser. It will execute for anyone and everyone, very dangerous! You are not a bad hacker out to make money so you only want to make an example and not do real damage.
  • The script must print out all of the site cookies to the user’s screen. To do this, your code must replace the text “Welcome to the Georgia Tech Bookstore. Here you will find the classics.” with the cookie contents (There could be one or more cookies that replace the text).

Site With Original Text

Site With Text Replaced

• Note: Your script must not change the structure of the “h5” tag. Only replace the text contained within the “h5” tag.
• After creating the review with the nefarious code, your file must redirect (load) the details page for Hamlet.

HINTS:

• Tackle the problem in small parts and then layer in complexity. You can test some of your code exploits directly in the bookstore website before compiling it into the template
• There are some features in React that should set off red flags. Ex: https://legacy.reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
• Use the Chrome dev tools to watch what happens outside of an attack. The Network tab should give clues. The “Preserve Log” checkbox is your friend.
• You will need to write JavaScript. Some of this code will execute immediately in your flag2.html file while the remaining part of the code should not be executed but instead be injected into the review somehow to run later.
• The developers knew about XSS and put some protections in place. It would be helpful to find and understand this as you may need to defeat it.
• You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.

FLAG TESTING:

To test your flag2.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 2 –gaTechId 923456789 –filePath /home/websec/Desktop/flag2.html

Note: The grading script will reset the database before it executes your file. Be prepared as any data you have created will be lost.

Your web output will look similar to this:

Flag 3: XSS Part II – 15 Points

Malicious user input can be provided using the same techniques, but through different attack vectors. You’ve already persisted malicious data in a review and want to see if there are any other areas of the site that are susceptible to data manipulation. Using your newly acquired XSS skills, you go hunting for more ways to perform this method of attack.

In order to successfully exploit another XSS attack, you will need to figure out another way the site accepts user input and employ a similar technique to perform what’s called a reflected XSS attack. This means the XSS code does not reside in the webpage and does not persist, but is malicious code input in the request and returned in the response. You notice there is a page that allows the user to search for a book and wonder if this page can be exploited.

Your goal is to display a javascript alert containing the text CS6035 on the search page.

You can use the same XSS resources from the previous flag in addition to reflected XSS resources:

• PortSwigger Reflected XSS
• OWASP Reflected XSS

Download from the WebSec VM the required starter template here:

• Flag 3 Template

To earn this flag by performing the following steps:

• Examine the search page.
• Find a way to pop up a javascript alert containing the text CS6035.
• Add your code to the input of the flag 3 template.
• Launch the template which should auto-submit to the search page and perform the attack.

HINTS:

• The search result may be returned after the page is loaded which means you may not be able to inject a script that relies on the loading phase of the document object model (DOM). Find other elements and script techniques to inject after page load.

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag3.html               1/2 2/17/25, 2:35 AM               Flag 3 | CS 6035

FLAG TESTING:

To test your flag3.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 3 –gaTechId 923456789 –filePath /home/websec/Desktop/flag3.html Your web output will look similar to this:

Flag 4: CSRF – 20 Points

Congratulations on reaching this stage! You’ve already navigated through various challenges, and now it’s time to delve into the intricacies of Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that tricks a user into submitting a request to a web application where they are authenticated without their knowledge or intent. This can lead to unauthorized actions being performed on behalf of the user.

For further exploration and a deeper understanding of CSRF and its prevention, consider the following resources:

• Portswigger CSRF
• Cross Site Request Forgery (CSRF) – OWASP Foundation
• Cross-Site Request Forgery Prevention – OWASP Cheat Sheet Series
• Wikipedia CSRF

You’ve learned of a vulnerability that exists on the bookstore website. It appears you can craft an html file that resets a user’s password to one of your choosing when they open it. You plan to embed this file in an email and see who actually clicks on it. They’ll never know!

Download from the WebSec VM the required starter template here:

• Flag 4 – Template

You must reset an unsuspecting user’s password to HanSolo77 Note: You will not know who the user is so your crafted html file should work for any user of the website.

Earn this flag by performing the following steps:

• Log into the book store website using the account we provided earlier in the project description
• Note: If you don’t understand why logging in ahead of time is required, be sure to read more about CSRF attacks.
• Launch your crafted flag4.html file by double clicking in a new tab
• The new tab will open and automatically reset the user’s password to HanSolo77
  • Note: The file must auto-submit. The autograder will not click any buttons you may have put on flag4.html

Hints:                                                                                                                                

• Use Chrome dev tools to watch what happens outside of an attack. The Elements, Sources, and Network tab should be helpful.
• The developers knew about CSRF and put some protections in place. Understanding where these protections are and how they work is the key to exploiting them.
• You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.
• Be sure to pass the GTID as a string and not an int

FLAG TESTING:

To test your flag4.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 4 –gaTechId 923456789 –filePath /home/websec/Desktop/flag4.html Your web output will look similar to this:

Flag 5: Bypass Permissions – 15 Points

The developers built an Admin page for power users of the site. Obviously, they couldn’t just let everyone have access to this page so they built a simple RBAC (Role-based access control) system and put it into place. Unfortunately for them, they didn’t do the best job of building these permissions and it can be bypassed! Your job is to bypass any security checks and gain access to this Admin page.

The Admin page can be accessed by clicking the link at the top right of the page. In order for this to work correctly in your html file, you may need to write a little JavaScript and find a place where this can be XSS injected. Knowing these developers, I bet they left some clues. Maybe some files they should have removed before production.

Download from the WebSec VM the required starter template here:

• Flag 5 – Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:

1 Bypass all permissions checks and open the Admin page fully loaded a Note: You must do all of this in the html template and it must automatically load/open the page

b The URL must start with http://localhost:7149/admin

Hints:

• You need to investigate and find out how the Admin page is being protected. The Chrome developer tools are where you’ll find this.
• The Admin page may shed some light with its security messages. The message may change depending on the state of the site.
• Try to bypass the checks before constructing your html file.
• You’ll likely need to do some script injection in order to defeat the security checks. Follow the hints above closely, “remove before production”.

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag5.html               1/2 2/17/25, 2:36 AM               Flag 5 | CS 6035

FLAG TESTING:

To test your flag5.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 5 –gaTechId 923456789 –filePath /home/websec/Desktop/flag5.html Your web output will look similar to this:

Flag 6: CORS – 15 Points

Congratulations on making it this far! You’ve already overcome several obstacles, and now it’s time to dive into Cross-Origin Resource Sharing (CORS). CORS is a security feature in web browsers that allows applications to request resources from domains other than the one hosting the application.

To complete this task, we’ll be working with a different flavour to CORS. Specifically, we will explore how CORS can limit the type of requests that can be made and how expanding on the allowed access control methods will help accomplish this task.

Download the required starter template here:

• Flag 6 – Template

Your goal is to update the title of book 6 to “Let the fun begin!” and redirect to its Detail View. This needs to be done using JavaScript only. Use this endpoint to make the update:

PUT api/book/{bookId}

Body:

{

“newTitle”: “Title 2” }

Did the attempt fail? Investigate and troubleshoot—think about what might have gone wrong.

Ensure your script addresses the issue and updates the book title. Once you’ve successfully updated the book title, submit the script and earn your flag!

Hint:

• Use Chrome dev tools to watch what happens outside of an attack. The Console and Network tab should be helpful.
• Go to the Book Detail page and check the Network Tab in your browser’s developer tools.

Identify an endpoint that can assist you in configuring the CORS allowed methods.

FLAG TESTING:

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag6.html               1/2 2/17/25, 2:36 AM               Flag 6 | CS 6035

To test your flag6.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh –flag 6 –gaTechId 923456789 –filePath /home/websec/Desktop/flag6.html Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag6 in project_websecurity.json.

Disclaimer: You are responsible for the information on this website. The content is subject to change at any time. © 2024 Georgia Institute of Technology. All rights reserved.

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag6.html                                                                       2/2