Project #3 FAQ

This is the FAQ for CSE 127 Project 3.

General Questions

Is there some way to see a list of users and bitbar balances?

Yes, you can see the list of all registered users and the number of bitbars they have at http://localhost:3000/view_users.

Um … Same-Origin Principle? Do I need to know what that is?

You should be familiar with the Same-Origin Principle before attempting this project. The Same-Origin Principle is the most important idea behind Web application security; ignoring it will cause you to run into lots of browser security exceptions.


Where can I find more information about JavaScript?

Mozilla has a nice introduction to JavaScript the language. You will also want to learn some about the DOM; Mozilla has a useful DOM reference.

My JavaScript isn’t working, and I don’t know why. What can I do?

Two extremely useful tools for debugging in the browser are the JavaScript console and the DOM Inspector. Both can be accessed from the Developer Tools menu (triple dots to the right of the address bar -> “More tools” -> “Developer tools”). The JavaScript console lets you see which exceptions are being thrown and why. The DOM Inspector lets you peek at the structure of the page and the properties and methods of each node it contains.

What do I need to know about CSS?

You only need to know enough to make your attacks disappear. You should know what basic syntax like <style>.error{display:none}</style> means, and you should feel free to use stealthy attributes like style="display: none; visibility: hidden; height: 0; width: 0; position: absolute" in the HTML of your attacks. Beware that frames and images may behave strangely with display: none, so you might want to use visibility: hidden instead.

How can I see cookies and form data that the browser sends?

Try the Chromium web console.

What do I need to know about Ruby / Ruby on Rails?

You should be able to get the general idea of what the server is doing, but beyond that you do not need to understand not write any Ruby code.

Where can I find more information about Ruby / Ruby on Rails?

Here are some handy references:


Am I allowed to load scripts or images from other domains?

No, your attacks should not load data from any other domain.

Are we allowed to include additional files?

Please limit yourself to the files requested. One file per attack, the writeup file, the README file, and the SID file.

Attack X.

How are the graders going to test our URL?

We will put it into the browser’s address bar and click the "Go" button.

The example attack doesn’t seem to do anything. What’s wrong?

You need to be logged in to Bitbar before the attack will work. When you click the link, you should get a browser alert with the contents of document.cookie.

Why would someone want to steal document.cookie?

The cookie is the user’s authentication credential. If you steal someone else’s cookie, it is easy to hijack that user’s session (although we won’t ask you to do so in this project).

How do I convince the browser to send a GET request to an URL of my choosing?

You can allocate a JavaScript Image object, and set its src attribute to be the URL you want the browser to retrieve. The browser immediately tries to fetch the content of this image, even though the URL isn’t actually pointing at an image and the image hasn’t been inserted into the page anywhere. Pretty sneaky.

Why are the characters reflected back different from the ones in the URL?

Your query parameter is URL decoded by the server before being reflected back at the user. You’ll need to made sure that your attack code is URL encoded. For example, use + instead of space and %2b instead of +. Here is a URL encoding reference.

How to I put code into a URL? I want to have newlines and stuff.

It helps if you URL-encode it.

Why does my attack not work sometimes?

If you try your attack more than once, the browser might think that it already has the image in its cache, and so it wouldn’t send a second GET request. Adding an extra parameter with a random value to the end of the URL ensures that the browser will think the new URL is different, and won’t use the cache. The steal_cookie page ignores this parameter, so it’s only useful for bypassing the cache.

Are there any restrictions on the length of my solution URL?

No. Internet Explorer has a limit of 2083 characters or so for URLs, but the limit is much longer in Chromium, which is what we are using for grading. The grader’s solution was less than 300 characters, and shorter solutions are possible.

Since updating server content is a side effect of the request, wouldn’t it make more sense for the browser’s request to be a POST instead of a GET?

Yes, but that would prevent the Image trick from working. Real-world attackers are rarely bothered by such semantic distinctions.

What should the view_stolen_cookie page look like if the attack worked?

The parts that might be different are italicized.

Last Cookie Stolen


My attack is working. What should I do to make it invisible to the user?

No warning text or characters that are normally part of the page should be visible. From the point of view of the visitor, it should appear as if they just went to localhost:3000/profile and didn’t put in a username yet (with the possible exception of the address bar, which can be whatever you want). It’s ok if the page briefly looks weird before correcting itself.

That sounds hard.

There are actually several quick and easy ways to do it, so try to think outside the box on this one. If you can’t figure it out, try moving on to the other attacks and come back to this one when you’re done.

Attack Y.

Is this a cross site scripting attack?

No, this is a cross site request forgery attack. You are exploiting the fact that the Bitbar website uses only a cookie to authenticate requests, even ones with side effects.

Can I use the vulnerability in /profile from Attack X?

No. Since this not a cross site scripting attack, you do not need to use the vulnerability in /profile. All you have to do convince the user’s browser to post malicious form data to /post_transfer.

How do I convince the browser to send a malicious POST request to /post_transfer?

Put together a form in your HTML document, with http://localhost:3000/post_transfer as the action attribute.

How can I get the form to be submitted with no user interaction?

You can call the "Transfer" button’s click method. Or, you can use JavaScript to call the form’s submit method.

What <input> fields should the form contain?

Use the browser’s view source function on /transfer and you’ll get a pretty good idea.

How can I submit a form to Bitbar without causing the browser’s address bar to change to localhost:3000?

Create a hidden <iframe> and make sure the form’s target attribute matches the frame’s name attribute.

How do I make the iframe hidden?

There are lots of ways to do it, but the easiest is probably <iframe style="visibility: hidden" ...>.

Uh oh, iframes. Does Bitbar use any form of framebusting?

Yes, the Bitbar website does some rudimentary framebusting, which you can see in the HTML source of any Bitbar page. It might be useful to read up on some attacks against framebusting code.

How do I redirect the browser to the CSE 127 home page?

Change the document.location property. Note that it is required for the browser’s address bar to change to once your attack is complete.

How do ensure that the redirect doesn’t happen until after the form data has been posted?

You can trigger the redirect from the frame’s onload handler. Depending on how your code is written, this onload handler may get called twice — once when the page initially loads and once when the form is submitted. If this is the case, you’ll have to make sure that you change document.location on the second time only.

Attack Z.

How does the site sanitize profiles?

It uses sanitize() to restrict the tags that can be used.

What tags does Bitbar allow in profiles?

<a> <br> <b> <h1> <h2> <h3> <h4> <i> <img> <li> <ol> <p> <strong> <table> <tr> <td> <th> <u> <ul> <em> <span>

Additionally, the following attributes are allowed:

id class href colspan rowspan src align valign

How do I transfer the bitbar?

You should be able to use the same tricks you used for Attack Y. You could also use an XMLHttpRequest, since you’re actually making a same-site request this time. Pick whichever approach you prefer.

How do I create an <iframe>?

You can use the DOM methods document.createElement and document.body.appendChild.

Are there any alternatives to target, which is blacklisted?

You can use string concatenation to express “target” without actually saying it. The following are equivalent in JavaScript:, x["target"], x["tar"+"get"].

How do I replace the profile?

Use the same technique you just used to transfer bitbars, but target the profile updating endpoint instead.

Is there an easy way to get a copy of the current profile?

You can use document.getElementById('profile').innerHTML, but it may mangle quotes in your profile, so be sure to check that the replicated profile is still functional.


This is the Project 2 FAQ from Stanford’s CS 155, Computer and Network Security. Thanks to Dan Boneh, John Mitchell, Collin Jackson, and the 155 TAs.

Navigation: CSE // CSE 127 // Project 3 // FAQ