PA4: Web Assignment Fall 2022

This is a group project; you can work in a team of size at most two and submit one project per team. You are not required to work with the same partner on every project. You and your partner should collaborate closely on each part.

You have three late days that you may use to turn in work past the deadline over the entire quarter. A late day is a contiguous 24-hour period. Both you and your partner will be charged for every late day that you use, and you both must have late days to use them. These late days are intended to cover your extension needs for usual circumstances: brief illness, busy with other classes, interviews, travel, extracurricular conflicts, and so on. You do not need to ask permission to use a late day.

The code and other answers you submit must be entirely your team's own work. You may discuss the conceptualization of the project and the meaning of the questions, but you may not look at any part of someone else’s solution or collaborate with anyone other than your partner. You may consult published references, provided that you appropriately cite them (e.g., with program comments).

Solutions must be submitted to Gradescope.


Introduction

A startup named BUNGLE! is about to launch its first product—a web search engine—but their investors are nervous about security problems. Unlike the Bunglers who developed the site, you took CSE 127, so the investors have hired you to perform a security evaluation before it goes live. BUNGLE! is available for you to test at https://bungle.sysnet.ucsd.edu/.

In addition to providing search results, the site accepts logins and tracks users’ search histories. It stores usernames, passwords, and search history in a database.

Note: Passwords used on the BUNGLE! site may be used, in whole or in part, in subsequent assignments in the course. Never use an important password to test an insecure site! This especially includes your personal passwords.

Before being granted access to the source code, you reverse engineered the site and determined that it replies to five main URLs: /, /search, /login, /logout, and /create. The function of these URLs is explained below, but if you want an additional challenge, you can skip the rest of this section and do the reverse engineering yourself.

Main page (/)

The main page accepts GET requests and displays a search form. When submitted, this form issues a GET request to /search, sending the search string as the parameter “q”. If no user is logged in, the main page also displays a form that gives the user the option of logging in or creating an account. The form issues POST requests to /login and /create.

Search results (/search)

The search results page accepts GET requests and prints the search string, supplied in the “q” query parameter, along with the search results. If the user is logged in, the page also displays the user’s recent search history in a sidebar.

Note: Since actual search is not relevant to this project, you might not receive any results.

Login handler (/login)

The login handler accepts POST requests and takes plaintext “username” and “password” query parameters. It checks the user database to see if a user with those credentials exists. If so, it sets a login cookie and redirects the browser to the main page. The cookie tracks which user is logged in; manipulating or forging it is not part of this project.

Logout handler (/logout)

The logout handler accepts POST requests. It deletes the login cookie, if set, and redirects the browser to the main page.

Create account handler (/create)

The create account handler accepts POST requests and receives plaintext “username” and “password” query parameters. It inserts the username and password into the database of users, unless a user with that username already exists. It then logs the user in and redirects the browser to the main page.

Note: The password is neither sent nor stored securely; however, none of the attacks you implement should depend on this behavior. You should choose a password that other groups will not guess, but again, never use an important password to test an insecure site!


Guidelines

Defense Levels

The Bunglers have been experimenting with some naïve defenses, so you also need to demonstrate that these provide insufficient protection. In Parts 2 and 3, the site includes drop-down menus at the top of each page that let you change the CSRF and XSS defenses that are in use. When you are testing your solution, ensure that BUNGLE! has the correct defense levels set.

You may not attempt to subvert the mechanism for changing the level of defense in your attacks. Be sure to test your solutions with the appropriate defense levels! Additionally, be sure to include the defense levels as url parameters in any request to bungle!

In all parts, you should implement the simplest attack you can think of that defeats the given set of defenses.

In other words, do not simply attack the highest level of defense and submit that attack as your solution for all defenses. You do not need to combine the vulnerabilities, unless explicitly stated.

Resources

The Firefox and Chrome web developer tools will be very helpful for this project, particularly the JavaScript console and debugger, DOM inspector, and network monitor. See https:// developer.mozilla.org/en-US/docs/Tools and https://developers.google.com/web/tools/chrome-devtools. Note that you may complete the project on any web browser of your choice, but we have only tested that it works on Chrome and Firefox.

Although general purpose tools are permitted, you are not allowed to use tools that are designed to automatically test for vulnerabilities.

Your solutions will involve manipulating SQL statements and writing web code using HTML, JavaScript, and the jQuery library. You should search the web for answers to basic how-to questions. There are many fine online resources for learning these tools. Here are a few that we recommend:

To learn more about SQL Injection, CSRF, and XSS attacks, and for tips on exploiting them, see: the OWASP cheat sheet and the XSS filter evasion cheat sheet.


Part 1: SQL Injection

Your first goal is to demonstrate SQL injection attacks that log you in as an arbitrary user without knowing the password. In order to protect other students’ accounts, we’ve made a series of separate login forms for you to attack that aren’t part of the main BUNGLE! site.

For each of the following defenses, provide inputs to the target login form that successfully log you in as the user “victim”:

1.0 No defenses (2 points)

Target: https://bungle.sysnet.ucsd.edu/sqlinject0

Submission: sql_0.txt

1.1 Simple escaping (2 points)

The server escapes single quotes (') in the inputs by replacing them with two single quotes.

Target: https://bungle.sysnet.ucsd.edu/sqlinject1

Submission: sql_1.txt

1.2 Escaping and Hashing [Extra Credit] (1 point)

The server uses the following PHP code, which escapes the username and applies the MD5 hash function to the password.

if (isset($_POST['username']) and isset($_POST['password'])) {
    $username = mysql_real_escape_string($_POST['username']);
    $password = md5($_POST['password'], true);
    $sql_s = "SELECT * FROM users WHERE username='$username' and pw='$password'";
    $rs = mysql_query($sql_s);
    if (mysql_num_rows($rs) > 0) {
        echo "Login successful!";
    } else {
        echo "Incorrect username or password";
    }
}
        

This is more difficult than the previous two defenses. You will need to write a program to produce a working exploit. You can use any language you like, but we recommend Python 3.

Target: https://bungle.sysnet.ucsd.edu/sqlinject2

Submission: sql_2.txt, sql_2-src directory (see below for specification)

1.3 The SQL [Extra credit] (1 point)

This target uses a different database. Your job is to use SQL injection to retrieve:

Target: https://bungle.sysnet.ucsd.edu/sqlinject3

Submission: sql_3.txt

For this part, the text file you submit should start with a list of all the queries you made to learn the answers. Follow this with the values specified above, using this format:

QUERY
QUERY
QUERY
...
Name: DB name
Version: DB version string
Tables: comma separated names
Secret: secret string
        

What to submit

When you successfully log in as a victim, the server will provide a URL-encoded version of your form inputs. Submit a text file with the specified filename containing only this line.

Remember, you must log in as "victim".

For 1.2, also submit the source code for the program you wrote by placing it in the directory sql_2-src.

For 1.3, submit a text file as specified.


Part 2: Cross-site Scripting (XSS)

Your next task is to demonstrate XSS attacks against the BUNGLE! search box, which does not properly filter search terms before echoing them to the results page.

For each of the defenses below, your goal is to construct a URL that, when loaded in the victim’s browser, correctly executes the specified payload. We recommend that you begin by testing with a simple payload (e.g., alert(0);), then move on to the full payload. Note that you should be able to implement the payload once, then use different means of encoding it to bypass the different defenses.

Note: jQuery is embedded on Bungle. Please do not reload it in your scripts for Part 2.

Payload

The payload (the code that the attack tries to execute) will be to steal the username and the most recent search the real user has performed on the BUNGLE! site.

When a victim visits the URL you create, these stolen items should be sent to the attacker’s server for collection. For purposes of grading, your attack should report these events by loading the URL (performing a GET request): http://localhost:31337/?stolen_user=username&last_search=last_search

We have provided the file xss_server.py to help you test your solution. You can test receiving this data by running this command at the shell in your project directory: python3 xss_server.py.

You should be able to observe the HTTP GET request that your payload generates in the server log.

Defenses

There are five levels of defense. In each case, you should submit the simplest attack you can find that works against that defense; you should not simply attack the highest level and submit your solution for that level for every level. Try to use a different technique for each defense. The Python code that implements each defense is shown below, along with the target URL and the filename you should submit.

2.0 No defenses (2 points)

Target: https://bungle.sysnet.ucsd.edu/search?xssdefense=0

Submission: xss_0.txt

For 2.0 only, also submit a human-readable version of your payload code (as opposed to the form encoded into the URL). Save it in a file named xss_payload.html.

2.1 Remove “script” (2 points)

filtered = re.sub(r"(?i)script", "", input)

Target: https://bungle.sysnet.ucsd.edu/search?xssdefense=1

Submission: xss_1.txt

2.2 Remove several tags (2 points)

filtered = re.sub(r"(?i)script|<img|<body|<style|<meta|<embed|<object", "", input)

Target: https://bungle.sysnet.ucsd.edu/search?xssdefense=2

Submission: xss_2.txt

2.3 Remove some punctuation (2 points)

filtered = re.sub(r"[;'\"]", "", input)

Target: https://bungle.sysnet.ucsd.edu/search?xssdefense=3

Submission: xss_3.txt

2.4 Encode < and > [Extra credit] (1 point)

filtered = input.replace("<", "&lt;").replace(">", "&gt;")

Target: https://bungle.sysnet.ucsd.edu/search?xssdefense=4

Submission: xss_4.txt

This challenge is hard. We think it requires finding a 0-day vuln or a bug in our code.

What to submit

Your submission for each level of defense will be a text file with the specified filename that contains a single line consisting of a URL (also submit the readable file for 2.0 only). When this URL is loaded in a victim’s browser, it should execute the specified payload against the specified target. The payload encoded in your URLs may embed inline JavaScript.


Part 3. Cross-site Request Forgery (CSRF)

Your final goal is to demonstrate CSRF vulnerabilities against the login form, and BUNGLE! has provided two variations of their implementation for you to test. Your goal is to construct attacks that surreptitiously cause the victim to log in to an account you control, thus allowing you to monitor the victim’s search queries by viewing the search history for this account.

For each of the defenses below, create an HTML file that, when opened by a victim, logs their browser into BUNGLE! under the account “attacker” and password “l33th4x”.

Note: the first character of the password is a letter, not a number.

Your solutions should not display evidence of an attack; the browser should just display a blank page. (If the victim later visits BUNGLE!, it will say “logged in as attacker”, but that’s fine for purposes of the project. After all, most users won’t immediately notice.)

3.0 No defenses (2 points)

Target: https://bungle.sysnet.ucsd.edu/login?csrfdefense=0&xssdefense=4

Submission: csrf_0.html

3.1 Token validation (2 points)

The server sets a cookie named csrf_token to a random 16-byte value and also includes this value as a hidden field in the login form. When the form is submitted, the server verifies that the client’s cookie matches the value in the form. You are allowed to exploit the XSS vulnerability from Part 2 to accomplish your goal.

Target: https://bungle.sysnet.ucsd.edu/login?csrfdefense=1&xssdefense=0

Submission: csrf_1.html

3.2 Token validation, without XSS [Extra credit] (1 point)

Accomplish the same task as in 3.1 without using XSS.

Target: https://bungle.sysnet.ucsd.edu/login?csrfdefense=1&xssdefense=4

Submission: csrf_2.html

This challenge is hard. We think it requires finding a 0-day vuln or a bug in our code.

What to submit

For each part, submit an HTML file with the given name that accomplishes the specified attack against the specified target URL. The HTML files you submit may embed inline JavaScript.

Note: Since you’re sharing the attacker account with other students, we’ve hard-coded it so the search history won’t actually update. You can test with a different account you create to see the history change.


Part 4. Writeup: Better Defenses (4 points)

For each of the three kinds of attacks (SQL injection, XSS, and CSRF), write a paragraph of advice for the BUNGLE! developers about what techniques they should use to defend themselves. A markdown template, writeup.md, is provided here. Fill in the template and convert it to a PDF titled writeup.pdf. Please submit writeup.pdf to Gradescope.

What to submit

A PDF file named writeup.pdf containing your security recommendations. Ensure that you have submitted it to Gradescope.