CS142 Web Programming and Security

Project 3: Abusing Side Channels

Due: Wednesday, January 28, 2009

In the previous project we saw how Javascript features might be used in an unexpected way to abuse the client. In this project we will focus on exploiting side channels to gain information about the web site and other users. In particular, these side-channels are used to bypass the same origin security mechanism.
  • This is an individual project.
  • Use the Firefox browser for this project, and for all projects in this class.
  • Like project 2, you're pretending to be an attacker for this project, so your HTML files do not have to pass validation.
    As a matter of fact, the scenario behind this project is the following: You are a member of one of the darkest and most evil guilds that World of Warcraft has ever seen. Destroying and dominating the other guilds is the sole purpose of your existence. However, last Sunday, the unexpected happened. You were defeated in an arena match by one of the other guilds on your own server!
    You are now so obsessed with revenge that you want to make them pay by any means. Your plan is to find their website http://www.dontrythisathome.com/project3/, compromise it, and use it to track down their members.
    It is now time to see if you can accomplish your dark wish.
  • Unless noted otherwise, avoid the use of external scripts and stylesheets. Everything should be included in the HTML file.
Important Settings Information:
  • Make sure you have turned off any personal firewalls
  • Make sure Firefox is set to accept third party cookies. On Firefox 3 on Mac this can be done in the following menu: Firefox > Preferences > Privacy: Check on "Accept third-party cookies"

Part 1. Identifying the Lair

This enemy guild is known for prizing secrecy, and hence does not serve its webpage on the standard port 80. You will first need to find the port on which their webpage is served.

Create a HTML document that uses Javascript to scan the ports of a remote server. The targeted computer belongs to us and we have authorized you to scan it. Do not scan any other computer, as this is considered as performing a real attack, and is probably not legal.

  • You must ONLY scan the following hostname:http://www.dontrythisathome.com/
  • Scan only the range 5020-5030
  • Your webpage shoud display the results of the scan in a list where each element look like this : http://www.dontrythisathome.com:502x->open/close
  • The list of ports currently open are : 5022 and 5027. This of course might change when we will grade your project
  • It is normal that you can't have the list of port in a numerical order unless you buffer your result before outputing it.
  • Do not write directly into the document using document.write, depending on how you implement your scanner it can have unexepected side effects. Instead write the result into a div using the innerHTML facility.

Part 2. Breaking Through

Go to the URL http://www.dontrythisathome.com/project3/. This the lair of your enemy. Notice that this web site requires a login and a password to enter. Create a HTML page that use a dictionary and a timing attack to determine which password is the correct one. We have provided a dictionary of words for you to use.

Since this is a timing attack, the key point is to be able to tell that a specific password have taken more time than another. Fortunatly, since this is an exercise, a sucessfull login take way way more time than a failed one. However you have to deal with network lag, in particular if you have a wifi connection. The recommanded method to do so is to use a calibration phase that will test 10 times a dummy password (like aa) and compute the average time. Based on this average time you can compute a threshold that should be something like average time x 10. We have designed the exercise so this method should be robust enought. However in case of very serious lag (>2sec), you might need to decrease the coefficient.

  • The username is nefarian
  • The list of passwords you have to test can be found here http://www.dontrythisathome.com/project3/dic.txt. To help you we also have a put this list into a Javascript array. This array can be found here http://www.dontrythisathome.com/project3/dic-js.txt.
  • Your page should display the following string when the attack end: login:nefarian;password:xxx;
  • During the scan, the page should display a progess indicator. Hint: You can use an image and play with its width with javascript. Or you can display a textual indicator by displaying how many passwords have been tested so far.
  • Remember that even if you don't see it, when the attack is sucessfull, you are indeed logged so to try again you have to logout. A good idea is to add an automatic call to the logout page at the beginning of your attack.

Part 3. Tracking Down the Traitor

Since your skill in arena cannot be questioned, you have to face the horrible truth - someone in your guild is a traitor and has sold off your tactics to the "Ubber guild." It is now clear that you must expose this most heinous crime. To do so you decide to exploit the protected content of the "Ubber guild" web site to track down who is logged into both your guild's website (fictional) and the "Ubber guild" website simultaneously. Create an HTML file that uses Javascript to tell if a user is currently logged in or not into the "Ubber guild" website.

  • For this part do not use timing attack
  • If the user is logged in, and the user opens your page (HTML file), your page should display: I got you traitor, otherwise it should display Welcome Dear Member
  • The key difficulty is to deal with the same origin policy.

Deliverables

Create files named 1.html, 2.html, 3.html. You may also include a separate README file that includes any feedback you have on the assignment. Submit your project using the standard class submission mechanism.

We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.

Section Material

Here are the slides from the section.