Project 3: Abusing Side Channels
- This is an individual project.
- Use the Firefox browser for this project, and for all projects in this class.
Like project 2,
you're pretending to be an attacker for this project,
so your HTML files do not have to pass validation.
As a matter of fact, the scenario behind this project is the following: You are a member of one of the darkest and most evil guilds that World of Warcraft has ever seen. Destroying and dominating the other guilds is the sole purpose of your existence. However, last Sunday, the unexpected happened. You were defeated in an arena match by one of the other guilds on your own server!
You are now so obsessed with revenge that you want to make them pay by any means. Your plan is to find their website http://www.dontrythisathome.com/project3/, compromise it, and use it to track down their members.
It is now time to see if you can accomplish your dark wish.
- Unless noted otherwise, avoid the use of external scripts and stylesheets. Everything should be included in the HTML file.
- Make sure you have turned off any personal firewalls
- Make sure Firefox is set to accept third party cookies. On Firefox 3 on Mac this can be done in the following menu: Firefox > Preferences > Privacy: Check on "Accept third-party cookies"
Part 1. Identifying the Lair
This enemy guild is known for prizing secrecy, and hence does not serve its webpage on the standard port 80. You will first need to find the port on which their webpage is served.
- You must ONLY scan the following hostname:http://www.dontrythisathome.com/
- Scan only the range 5020-5030
- Your webpage shoud display the results of the scan in a list where each element look like this : http://www.dontrythisathome.com:502x->open/close
- The list of ports currently open are : 5022 and 5027. This of course might change when we will grade your project
- It is normal that you can't have the list of port in a numerical order unless you buffer your result before outputing it.
- Do not write directly into the document using document.write, depending on how you implement your scanner it can have unexepected side effects. Instead write the result into a div using the innerHTML facility.
Part 2. Breaking Through
Go to the URL http://www.dontrythisathome.com/project3/. This the lair of your enemy. Notice that this web site requires a login and a password to enter. Create a HTML page that use a dictionary and a timing attack to determine which password is the correct one. We have provided a dictionary of words for you to use.
Since this is a timing attack, the key point is to be able to tell that a specific password have taken more time than another. Fortunatly, since this is an exercise, a sucessfull login take way way more time than a failed one. However you have to deal with network lag, in particular if you have a wifi connection. The recommanded method to do so is to use a calibration phase that will test 10 times a dummy password (like aa) and compute the average time. Based on this average time you can compute a threshold that should be something like average time x 10. We have designed the exercise so this method should be robust enought. However in case of very serious lag (>2sec), you might need to decrease the coefficient.
- The username is nefarian
- Remember that even if you don't see it, when the attack is sucessfull, you are indeed logged so to try again you have to logout. A good idea is to add an automatic call to the logout page at the beginning of your attack.
Part 3. Tracking Down the Traitor
- For this part do not use timing attack
- If the user is logged in, and the user opens your page (HTML file), your page should display: I got you traitor, otherwise it should display Welcome Dear Member
- The key difficulty is to deal with the same origin policy.
Create files named
You may also include a separate
that includes any feedback you have on the assignment.
Submit your project using the
standard class submission mechanism.
We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.
Here are the slides from the section.