[SOLVED] Cs6264 project 6: web security fall25

Table of contents

Disclaimers

Objectives

Checklist of Downloaded Project Files

Tasks

Role 1  Attacker 45%

Task 1.1 Exploit Discovery 15%

Task 1.2 Compromise 30%

Role 2  Forensics Investigator 55%

Task 2.1 Auditor Tool Development 25%

Task 2.2 Attack Investigation 30% Submission

We are always looking to improve our homework assignments. If you see any errors, whether they are grammatical or technical, please report them on Ed Discussion. If anything is not clearly stated, please contact the TAs.

With this project, you will be able to understand the big picture of how common web attacks can happen in the real world by playing two roles typically involved in the attack:

 Attacker👿

Understand the concept of code injection and its potential impact on a web server.

Be able to compromise a web server by exploiting a code injection vulnerability and inserting attack payloads into websites.

Be familiarized with the use of browser exploitation framework beef.

Understand how common web attacks (e.g., phishing, drive-by download, page redirection) work.

 Forensic Investigator🕵🏼‍♀️

Understand and be able to develop auditing tools for Chrome browser through Chrome DevTools Protocol to log browser activities.

Be able to construct causality graphs through neo4j based on logs collected.

Be able to write neo4j queries to identify attacks based on their patterns in the causality graph.

 _auditor The code template you will work on.

 assignment_questionnaire.txt The questionnaire where you put your answers.

Role 1 – Attacker (45%)

During reconnaissance, you found the following information.

Your opponent Bob hosts his websites on a cloud server.

The service provider runs all the customersʼ services on the same server with no isolation (which is a bad practice!!!.

Another web service running by the service provider, named Microweber, has a known code injection vulnerability.

With these insights, you made a smart plan to mess with Bob and his clients.

Purchase a membership from the service provider to use the Microweber service, disguising yourself as a legitimate customer.

Exploit the known code injection vulnerability to take control of the server.

Insert malicious scripts into HTML files of Bobʼs websites stealthily to mess up with Bobʼs clients.

In this way, from the affected clientsʼ point of view, the attacks are from Bobʼs website. As a result, Bobʼs reputation gets undermined, and he loses clients as time goes by.

Without further due. Letʼs get started!

After you have got the membership, you are permitted to register as an admin to further use the Microweber service.

 Open the project page: https://cs6264.gtisc.gatech.edu/  Log in with your GT account from the top right corner.

 Click on the start button and you will see two docker containers started for you.

Note: if later you accidentally crash the services (likely to happen when you test out your code injection w/ illegal payload), you can always come back to this page, stop and start the services again to get a fresh environment.

 Enter the Microweber, scroll all the way down, register a Microweber admin account (any credential is fine), and hit Install.

 It will take a little time for the installation to complete.

 Once installation is done, you will see your admin console page. Now itʼs time to exploit!

Background

 It is common for websites to take user inputs, store them in the database, and use them later. A simple example is an online service that:

a Takes your username during registration

b Stores the username you submitted in the database. c Retrieves the username from the database to display it on your profile page when you log in.

What happens under the hood is that when you log in after registration, before the server delivers your profile page, it first constructs your profile page by dynamically filling the value of the username field in a profile page template with your username retrieved from the database.

 The process of server-side webpage construction allows code included in a webpage to be dynamically executed on the server, to dynamically get the data needed to complement the webpage. For example, a snippet of a code may query APIs to get the current server status and put it into a webpage to be delivered together with other information to users. Specifically, any content in the format {{…}} will be treated as a code snippet and executed. For example,  {{`pwd`}} embedded in a webpage will be parsed as `pwd` and further executed as pwd command  in the serverʼs shell to list all the files in the current directory during the construction of that page. Hint: Any characters between two backticks ` , will be treated as a shell command on Linux. Location of backtick on the keyboard.

Combined with those two features, can we do something nasty? The answer is YES! As you probably have figured out, you can set your username as {{`malicious code does something nasty`}} so that your “usernameˮ will be parsed and executed as code and do nasty stuff during the profile page construction on the server. A common practice to prevent this type of attack is to sanitize user inputs by turning them into inexecutable strings. However, sanitizations are not always correctly implemented. The Microweber website is an example — one of the user input fields lacks proper sanitization and is vulnerable to code injection attacks.

Steps:

 After installation, you will see your profile page. To help you narrow down the search space, we give you a hint that the injection point is somewhere in the profile information. Go to Users and click on Edit profile.

 Then go back or refresh the Users page and see if you observe anything interesting. If you see the output of

last step (which only show partial result).

   Note 2 Make sure the _Users page is reloaded after you save your exploit input. The injected command will not get executed until the _Users page is reloaded.

 Now modify your injected command to get your hash stored in _{/tmp/secret_1.txt} on the server, see the example below. Submit this hash string to Q1.1 in the questionnaire. Note: If you see two identical hashes, just submit one. This may happen due to that the injected data field is accessed twice during page construction.)

Rubric

Description

The ability to run a command on the web server implies that you may do more on the web server, including modifying Bobʼs website. In this task, your goal is to insert a malicious script payload into a template HTML file used by Bobʼs website. Webpages Bobʼs website imports the infected template, hence being infected as well. In this way, Bobʼs clients get compromised when visiting his webpages.

Steps

 Locate the directory of Bobʼs website and assets directory of clients.

Clientsʼ directories are normally organized together under the same parent folder, just like _/home in Linux. To help protect the clientʼs privacy, the service provider names a customerʼs assets directory with the MD5 hash of the clientʼs name (e.g., MD5ˮBobˮ). Be careful about the letter cases.) instead of the clientʼs actual name (i.e., Bob). Your goal is to locate the client assets directory (parent directory of Bobʼs directory) and submit it to Q1.2.1 in the questionnaire. Note: you should submit the exact directory name, NOT the directory path (see the example below). Any additional characters (e.g., _/ ) in your submission will cause a mismatch and lead to 0 pts during autograding.

Hints:

Many online MD5 generators are available.

You can use the Linux _find command to search for Bobʼs directory. You can use _/ (root location) or _.. (parent folder) as the search location to help you.

In the example below, your answer submitted to Q1.2.1 should be clients_assets .

$ find / -iname client_md5

Result: /xx/xx/clients_assets/client_md5

 Find the best template file to insert the malicious script payload.

Most modern websites follow a certain organized structure — frequently used resources are put into templates for efficient reuse. For example, the same navigation bar may be used repeatedly throughout many pages of a website. Therefore, a website admin can save the navigation bar as a template in

navigation.html and have those pages that need to display the navigation bar import navigation.html . From the

attackerʼs perspective, finding and modifying such a template is optimum as this modification is minimal yet impactful. Your goal is to figure out which template HTML under the _templates directory in Bobʼs website directory makes the most sense to insert the malicious script payload into. Submit your answer (in the format of _xxx.html ) to Q1.2.2 in the questionnaire. Note: make sure your spelling is correct. Incorrect file name by any means leads to 0 pts for this task.

Hints:

Think about what type of data you are trying to insert into the website.

The correct template file has a hint at the beginning of the content indicating you have found the correct one.

You donʼt need to check files in the sub-directories. All you need to do is examine the HTML files right under the templates directory.

 Insert the malicious script into the target.

Once you have found the best template file, the next step is to insert the malicious payload. A smart practice attackers typically follow is that instead of deploying a one-time attack, they install a remote hook on the victimʼs page/machine that can connect to an attacker-owned Control and Command C&C server. When the remote hook gets triggered (the infected webpage is open), it constantly emits heartbeats to the C&C server to notify the attacker a zombie is online. Then the attacker can freely issue any preconfigured attack commands to the zombie.

In this project:

We use BeEF as the C&C console, which you can find on the project page. The username and password are both: beef_for_cs6264

Hints: 

 The _src property in the _<script> tag has to be present at a minimum to make it work.

 The dynamically allocated port number may change each time you start a new container. Make sure you use the up-to-date port number.

Your goal is to insert the remote hook above through code injection techniques into the template file you found. In this way, Bobʼs webpage gets infected when importing the infected template file.

   Hint: “<ˮ and ˮ>ˮ in user inputs are commonly sanitized by the server (try it out and see what happens!, which means you probably cannot include them in your command. You can use any solution as long as it does the work Find and replace? Download from network? Or more?. You are encouraged to look up online resources and learn along the way of trying various possible solutions.

To verify If your attack is successful, visit Bobʼs webpage like a normal client. When a user opens an infected webpage, the IP of the connected victim (which is you in this test) will appear in BeEFʼs console.

 Issue an attack

Select the victim (you) under the Online Browsers , then issue Commands → Social Engineering → Google Phishing attack and observe what happens to Bobʼs webpage.

If the attack succeeds, you will see that the original page turns into a phishing page with a hash string at the bottom. Submit this hash to Q1.2.4 in the questionnaire.

Rubric

Role 2 – Forensics Investigator (55%)

Congratulations! At this point, you have successfully deployed and tested the attack. Now itʼs time to look at this story from the point of view of another crucial role — the forensics investigator. As a forensics investigator, your job is to find the evidence of any attacks that happened to a victim. To approach this goal, you come up with the following plan:

 Develop an auditing tool to log browser activities which may include the evidence of attacks.

 Construct a causality graph by connecting discrete information pieces from the raw logs.

 Find evidence of attacks in the causality graph based on patterns of attacks.

Description

In the first step, you need to develop a handy tool to log and model the activities happening in the browser. To help take away the engineering burden from you, we have helped you implement most of the auditing tool (however, you are encouraged to go through all the code), so that you can focus more on learning the concepts and philosophy of modeling browser activities we provide in the supplementary document.

Steps:

 Read the supplementary document to understand what major activities happening in the browser and the rationale regarding how to model them.

   Important note: We recommend reading the supplementary from the start to the end. Doing this not only helps you make the best of this project even though only part of it is needed to complete the task we give you.

 With the knowledge you gained from step 1, complete the function handle_download_begin() in event_handler.py .  For testing, you can trigger the download event by visiting a page with download functionality and downloading a file. For example, you can download code from any GitHub repo https://github.com/fate0/pychrome/tree/master. Or you can use the Fake Notification attack involving file downloading from BeEF described in Task 2.2.

You need a Linux system with GUI support It is highly recommended to use Ubuntu)

Make sure you have Python3 and Chrome installed. Python 3.11 or earlier versions are recommended. Some dependencies may be deprecated in later versions)

Install required packages: pip3 install –upgrade && pip3 install -r requirements.txt

Run Chrome with auditor listening on the events: _{python3 auditor.py} . Make sure you do not have a running

Chrome instance when running the auditor. To save the hassle of repetitively copying and pasting the URL to Bobʼs page to the browser GUI during testing for you, we provide a flag _–init-page which automatically opens the URL you specify when the browser starts. The usage is python3 auditor.py –init-page

URL_TO_BOB’s_PAGE

Then the auditor starts logging the events. If you see a series of 3 events: 1 request, 2 response, and 3 script parsed repetitively shows up, it is the heartbeat sent back and forth between the remote hook and the BeEF C&C server.

Use Ctrl-C in the command line to both stop the browser and output the logs for you. Note: donʼt close the browser from the GUI.

Self-test:

At runtime: You can check if nodes and edges are properly constructed through _{self.log_node()} and self.log_edge() which print the corresponding information for you.

After running: You can check if two new types of log files FileNode.tsv and Frame_download_File_Edge.tsv that log download behavior are generated.

Submit your completed  event_handler.py to Gradescope.

 Generate logs for Bobʼs clean (i.e., with no BeEF hook) webpage where no attack/modification is present with your auditor. To do so, stop and start the dockers on the project page (to get a fresh and clean Bobʼs webpage).  Compress the generated logs to tar.gz file with the name GT username]_cs6264_lab.tar.gz and submit it to Gradescope along with the questionnaire. Note: submission in the wrong format will lead to 0 pts.

Hint: you can use the command tar -czvf [your_username]_cs6264_lab.tar.gz C [your_log_directory] .

You can confirm the content of your compressed file by the following.

Having additional logs files is fine (which may be generated by your browser extensions if you have any) as long as the submitted logs contain those from Bobʼs page.

Rubric

Description

Congratulations! You have completed the key component of this project. Now that you can collect the logs, whatʼs left is to connect those information pieces in the log together to recover the whole picture of what happened during compromised browsing sessions, and find the evidence of attacks in the constructed causality graph. In this task, you need to execute and record logs for three common types of attacks: phishing, fake notification, and browser redirection from BeEF

In such an attack, the malicious script typically resets the content of the webpage to a phishing page (e.g., Legit-looking Gmail logging page) by setting the _innerHTML variable. When users fill out their credentials and hit the login button, a copy of the credentials is sent to attackers during redirection to the official login service.

the webpage to trick users into performing sensitive operations. For example, a fake notification says that the browser is out of date and needs to be updated to continue, or a plugin needs to be installed to proceed. In this way, users are lured into installing malware. The default URL given by BeEF may not be work, hence no download event occurs in the browser. You can set the file URL to any valid one such as https://github.com/fate0/pychrome/archive/refs/heads/master.zip, and play with fake notification text to see how things change on the victimʼs side.

This is a seemingly less harmful attack as it works by merely creating an overlay frame displaying another website on top of the opened frame. However, the flexibility enables the attacks to be more diverse. For example, the new webpage could be any of the following and more:

a phishing page to steal credentials (similar to attack 1 a fraud page with fraudulent ads or affiliate links to generate revenue for the attacker a malicious site to initiate actions on behalf of the users who are authenticated (through session cookies), without their knowledge or consent.

a page with inappropriate content for targeted reputation damage a page that automatically downloads malware upon opening

Once you have collected logs containing those attacks, your next step is to construct a causality graph, and then find the evidence of those attacks in the graph through queries.

Note: These three attacks do not have side effects on your browser. To complete this project, we recommend only playing with these 3 attacks. Other attacks could have an impact on your browser.

Steps

For each attack:

 Log collection: After the auditor runs, open Bobʼs webpage, execute the attack, and generate the logs.

 Causality graph construction: Load the logs into Neo4j to construct the causality graph. Please see the Supplementary Document for the detailed guide.

 Query construction: Think about what pattern in the graph can identify a potential Google Phishing attack. Construct a Neo4j query through Cypher Neo4jʼs query language) to locate this pattern in the graph. Please see the Supplementary Document for the detailed guide.

a Google Phishing: A phishing page must load the corresponding resources to display the fake content. In this case, is it normal that a Gmail-related resource gets loaded when the user is visiting the product page of a shopping site? See if you can find a Gmail icon requested in the logs. Based on this logoʼs URL, construct a query that returns a Frame – request  Resource subgraph where the resource nodeʼs URL points to the Gmail favicon in the causality graph, as shown. Submit your query to Q2.2.1 in the questionnaire. Note that:

i The edge should be returned with the two nodes as well, i.e., the subgraph your query returns should contain two nodes and one edge.

ii Make sure to use Frame, request, and Resource to name your nodes and edge. Otherwise, you may get 0 pts.

Example query response indicating potential Google Phishing attack.

b Fake Notification: What is the ultimate goal of this attack? Malware spreading! When you look at the logs, how normal do you think it is for a downloading event to happen when the user is visiting the product page of a shopping site? In this context, the downloading event itself should be suspicious enough. The query you construct should generally return any Frame – download  File subgraphs in the causality graph. Submit your query to Q2.2.2 in the questionnaire.

Example query response indicating potential malware downloading.

c Site Redirection: In this attack, the malicious script creates a new frame displaying the new webpage to cover the existing webpage. Think about this — in a benign webpage design, how often do we need to create a frame through scripts? Script — create  Frame pattern in the graph should raise an alert, which should be captured by your query. In addition, heuristics are commonly used to detect malicious URLs. In this task, as a proof of concept, we assume a simple heuristic that the URL of the redirected new page is the top domain URL (e.g., www.example.com ) as opposed to (e.g., www.example.com/xxx/xxx/ ). Following this assumption, you can create a simple heuristic check — the frame nodesʼ _{security_origin} is the same as its _url except that the _{security_origin} does not have the _/ in the end (see the example figure). To perform string operations, you can find help from string functions and scalar functions in Cypher. As shown in the example below, your query should return the pattern Script — create  Frame where the frame nodesʼ security_origin is the same as its url except the last / character. Submit your query to Q2.2.3 in the questionnaire.

Example query response indicating potential site redirection.

Note:

 Please submit each of your queries in ONE line. Queries submitted in multiple lines lead to 0 pts during auto-grading, make sure to double-check your answer.

 Please follow the same naming style for nodes and edges as the write-up (e.g., Script, create, Frame . Be sure that the first letter of the node name is uppercase and the edge name is all lowercase. Failing to follow the naming convention will result in  0 pts since other keywords will not be accepted by the autograder.

 Each of your queries should return a subgraph that contains related nodes and edges as shown in the examples. Incomplete subgraphs returned by your queries will result in 0 pts.

 Your queries being able to reproduce the sub-graphs shown in the examples indicates that you most likely have done the task right. However, except for the phishing attack which looks for a specific favicon as attack evidence — instead of looking for a specific resource in the lab tests (e.g., the exact filename, the exact redirected pageʼs URL, your other two queries must be generalizable, meaning that they should catch attacks in the real world demonstrating the same behavior patterns (e.g., downloading real malware, redirection to URLs other than the example one). Failing to do so will result in 0 pts if your last two queries are not general.

Rubric

Rubric

Deliverables

 assignment_questionnaire.txt

 event_handler.py

 GT username]_cs6264_lab.tar.gz  containing .tsv logs of Bobʼs clean page.

Important Note:

 Make sure you use the provided questionnaire and the specified formats to submit your answers. Failing to do so can make your ENTIRE project 0 pts since auto-grader cannot take in submissions in other formats.

 The GT Login ID you fill in the questionnaire must be all lowercase (see the given example. This is NOT your student card #). Failing to do so will make your hash-related tasks 0 pts since the grading depends on your Login ID.

 All deliverables should only be submitted to Gradescope. Submissions to Canvas will NOT be accepted and graded.

 Make sure you have followed all the guidelines stated in the write-up as well as the supplementary document. Any point deductions caused by failing to follow the guidelines will NOT be adjusted.