Project 2: JavaScript Mischief

Due: Wednesday, January 21, 2009

Browsers provide a rich set of features that enable interactive, compelling web applications. Unfortunately, these features are also open to abuse. This project demonstrates how web sites can spy on the user, steal sensitive information, and render the browser inoperable.

• This is an individual project.
• Use the Firefox browser for this project, and for all projects in this class.
• Unlike project 1, you're pretending to be an attacker for this project, so your HTML files do not have to pass validation.
• Unless noted otherwise, avoid the use of external scripts and stylesheets. Everything should be included in the HTML file.

Part 1. Denial of service

1a. Endless alert

Create a HTML document that, when opened, displays a JavaScript alert dialog box. Each time the user dismisses the dialog box, a new, identical dialog box should appear. As a result, the user will be unable to interact with the browser window.

• You can put whatever text you want in the alert. (Be creative!)
• To recover from this attack, it may be necessary to terminate your browser process. On Windows, you can use Task Manager (Ctrl+Alt+Del). On Mac OS, you can use Force Quit (Option-⌘-Esc)
• Note that some browsers, such as Opera and Google Chrome, provide mitigations for this attack. Firefox does not.

1b. Whack-a-mole

Create an HTML page that contains a single button, which has the text "Click here" on it. When the button is clicked, the browser should open an infinite number of popup windows.

• You can put whatever content you want in the popup windows.
• Use a data: URL to give the popup window some content without making a network request.
• Do not wait for the first window to be closed before opening the next one.
• Your solution will be graded with the popup blocker on (the default setting).
• The windows need to actually open visually; it doesn't count if the browser simply hangs.
• You need to open windows, not tabs.

1c. Sticky page

Create a HTML document that the user cannot navigate away from. If the user tries to enter a URL into the address bar, click a bookmark, or use the search box, the browser should remain at the same location. The browser should stay at this location no matter how many times the user tries to navigate away.

• You can put whatever content you want in the page.
• The attack should work regardless of the URL where the page is located.
• Hint #1: Try navigating the page in an onunload or onbeforeunload handler. Be sure to remove your handler to avoid creating an infinite loop.
• Hint #2: Try using setTimeout to delay your navigation by a few milliseconds.
• It is acceptable (but not required) if the browser's "throbber" (progress indicator) spins for a brief moment before stopping. It should not keep spinning forever, however.

Part 2. Privacy attacks

For this part of the project, you will query the browser's history. Lecture 5 includes some information on how to accomplish this.

2a. Sniffing around

Create a page that checks whether the following pages have been visited:

• If (and only if) the user has been to http://pbskids.org/teletubbies/, the page should include the text "Oh, you like Teletubbies!".
• If (and only if) the user has been to https://www.bankofamerica.com/index.jsp, the page should include the text "Our rates are better!".
• If (and only if) the user has been to http://www.wellsfargo.com.phisher.com/, the page should include the text "Warning! You may have been phished!". (Note that this site doesn't exist any more, but you still need to check if it's in the browser history.)
• Use document.write in an inline script tag to emit the text into the page. All text should be present by the time the document is finished loading.

2b. Chameleon phishing page

Create a page that checks whether the following pages are in the browser history:

• http://www.zoobar.org/
• http://www.kanjiquizzer.com/

If the user has been to http://www.zoobar.org/, they should be shown a phishing page that looks like the Zoobar login page. If the user has been to http://www.kanjiquizzer.com/, they should be shown a phishing page that looks like the Kanji Quizzer login page. Otherwise, the page should be blank.

• For part 2b, you must use CSS only. We will disable JavaScript during grading.
• The phishing page should look similar to the target page but doesn't have to be "pixel perfect." However, make sure all the form fields are present.
• It doesn't matter where the phishing form submits to. We won't test this.
• It's ok to load external images, stylesheets, etc. from www.zoobar.org and www.kanjiquizzer.com.
• If the user has been to both pages, show the Zoobar one.
• We own these sites and give you permission to "phish" them. In the future, be sure not to set up phishing pages unless you have the permission of the site owner.

Deliverables

Create files named 1a.html, 1b.html, 1c.html, 2a.html, 2b.html. Each file is worth up to 3 points. You may also include a separate README file that includes any feedback you have on the assignment. Submit your project using the standard class submission mechanism.

We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.

Section Material

Here are the slides and the source file from this week's section:

• Source File
• Slides