Project #2, Web Security

Part 1 (Attacks A, B, C) due: Sunday, May 22, 11:59 PM
Part 2 (Attacks D, E) due: Sunday, May 29, 11:59 PM

For clarifications and hints, see the FAQ, originally developed for Stanford CS 155.

How to set up the environment

For this project, as in the first project, you are going to use a VMware virtual machine. Again, you can work on your own machine or you can use the machines in room B230 in the basement of EBU3B.

Setting up Boxes on your own machine: Download the Boxes2/X virtual machine tarball, boxes2x-2.2.tar.bz2 (warning: 400 MB!). Note that this is not the same tarball as the one in the first project, so you cannot use that one. Decompress this tarball and run it using VMware Player, as you did for the first project. (Refer to the PP1 handout for a reminder.) Once the Boxes 2/X VM is running, you will want to start X and run the Iceweasel browser, as described below.

Using Boxes on the B230 machines: You will want to perfrom the following:

  1. Log in to any B230 machine under Linux using your CSE 127 username and password, which you can find on the ACMS site.
  2. Create a subdirectory (say named after your cse127 username, so that you can distinguish it from other direcotries) in the /scratch directory, and set the permissions for that directory to 700.
  3. Extract the Boxes virtual machine file /home/linux/ieng6/cs127s/public/boxes2x-2.2.tar.bz2 to your scratch work directory. If, for example, your scratch directory is called foobar, then the following commands will work:
    cd /scratch/foobar
    tar xjf ~/../public/boxes2x-2.2.tar.bz2
    Unfortunately there is not enough space in your home directory to extract the VM image, which is why you must use the lab machine’s local scratch space.
  4. Run VMware Workstation or VMware Player. In either case, use it to open the Boxes2X.vmx file located under /scratch/foobar/Boxes2X.vmwarevm. Once the Boxes 2/X VM is running, you will want to start X and run the Iceweasel browser, as described below.
  5. We recommend that you back up all of your work, using the backup procedure described below. If, in addition, you wish to save the state of your entire VM, you can shut down VMware and then create a tarball of the Boxes2X.vmwarevm directory, then copy that tarball into your home directory on ieng6. If, again, your scratch directory is called foobar, then the following commands will work:
    cd /scratch/student
    tar cvf boxesimg.tar Boxes2X.vmwarevm
    bzip2 boxesimg.tar mv boxesimg.tar ~
    Now if you want to run the saved box, in step 3 instead of extracting the VM image from the public/ directory, you will extract the one you saved in your home directory.

How to run iceweasel

The Web server serving the Zoobar site you will be attacking is hosted inside the VM. (If you try to connect to outside the VM, you will get Stanford's site, which you should not try to interact with.) Furthermore, the Web browser you'll use to develop and test your attacks is also hosted inside the VM. It is called Iceweasel.

Iceweasel is the Debian version of Firefox—essentially the same browser, but with a different name because of licensing issues. To start iceweasel in Boxes 2/X, log in as user, and do the following:

  1. Type the startx command. This will start the X Windowing System, and a new window will be displayed with a xterm (shell) where you can enter commands. (Click the mouse to place the window.)
  2. Type iceweasel & within the newly displayed xterm. This will open the Iceweasel browser. (Again, click the mouse to place the window.)
  3. In the URL bar, you can type to connect to the Zoobar site.

Backing up your work

As with any project, you will want to make and keep frequent backups of your work. If you are developing your code in user’ home directory inside the VM, then an easy way to back this directory up is with the rsync command.

Suppose that the IP address assigned to the VM is (You can find this address using /sbin/ifconfig eth0 inside the VM.) And suppose you'd like to back up into a directory called bkp123 in your ieng6 home directory. Run the following command from the B230 lab machine prompt:

rsync -av ~/bkp123/
If you run this command again later it will update the contents of bkp123 to match the contents of user’s home directory.

To restore from backup, run the following command, again from the B230 lab machine prompt:

rsync -av ~/bkp123/

Project Overview

The fictional “Zoobar Foundation” has set up a simple Web application at (inside the Boxes 2/X VM), allowing registered users to post profiles and transfer “zoobar&rdqo; credits between each other. Each registered user starts with 10 zoobars.

You will craft a series of attacks on that exploit vulnerabilities in the Website’s design. Each attack presents a distinct scenario with unique goals and constraints, although in some cases you may be able to reuse parts of your code.

Although many real-world attackers do not have the source code for the Websites they are attacking, you are one of the lucky ones: you can find the source code under /var/zoobar/www in the Boxes 2/X VM.

The zoobar server is actually run locally on each of your boxes. We will run your attacks after wiping clean our own local database of registered users (except the user named "attacker"). Of course this means that any data you have added while working on the assignment will not be present during grading.


Browser: We will grade your project within the Boxes 2/X VM, using the Iceweasel browser. which is installed in the Boxes. Therefore, you should test your code in the boxes on this browser. Iceweasel is essentially the same browser as Firefox, but under different branding. Anything that works in iceweasel will likely work in (the same version of) Firefox as well.

There are subtle quirks in the way HTML and JavaScript are handled by different browsers, and some attacks that work in Internet Explorer (for example) may not work in Firefox (and therefore in Iceweasel). In particular, you should use the Mozilla way of adding listeners to events.

Email script. For Attacks A and D, you will need a server-side script to automatically email information captured by your client-side JavaScript to your user account within the Boxes. We have provided this script for you. Please review the instructions at (open this url from within the Boxes) and use that URL in your attack scripts to send emails. Again, this server is also being run locally on your own boxes machine. To check your local email use the mutt email client (type mutt in the shell to start the client, and follow the instructions).

Attack A. Cookie Theft

Attack B. Cross-Site Request Forgery

Attack C. SQL Injection

Attack D. Password Theft

Attack E. Profile Worm


Create files named a.txt, b.html, c.html, d.html, and e.txt, containing each of your five attacks. You may include a separate README file. (We would appreciate any feedback you may have on this assignment). Submission instructions will be posted to Piazza.

For Part One, Attacks A, B, and C are due.

For Part Two, Attacks D and E are due.

Part Two is due a week after Part One, but the last two attacks are harder than the first three. We encourage you to start early.


Each attack is worth up to 4 points. The entire project will be graded out of 20.

Beware of Race Conditions: Depending on how you write your code, all five of these attacks could potentially have race conditions that affect the success of your attacks. Attacks that fail on the grader’s browser during grading will receive less than full credit. To ensure that you receive full credit, you should wait after making an outbound network request rather than assuming that the request will be sent immediately.


This is Project 2 from Stanford’s CS 155, Computer and Network Security. Thanks to Dan Boneh, John Mitchell, Collin Jackson, and the 155 TAs.

Navigation: CSE // CSE 127 // Project 2