Project 4: Get Rich or Die Trying - Making Money on the Web, the Black Hat Way

Due: Wednesday, February 4, 2009

Having grown older and more mature since Project 3, you no longer play World of Warcraft. Now, you are all about becoming rich and famous no matter what it takes. You've decided to use your black hat skills to make the world a better place... for yourself.

Standard Notes:
• This is an individual project.
• Use the Firefox browser for this project, and for all projects in this class.
• Unlike project 1, you're pretending to be an attacker for this project, so your HTML files do not have to pass validation.
• Unless noted otherwise, avoid the use of external scripts and stylesheets. Everything should be included in the HTML file.

Part 1. Get Rich - The (Almost) Five Finger Discount

You can't be a black hat without the proper gear. Go get yours.

1a. Simple Cookie Manipulation

First, you gotta get yours.

There is a shopping page with a severe flaw in it at http://www.dontrythisathome.com/p4/p1/shop.php. Your task is to buy this item for the minimum price. You'll find a cookie editor like https://addons.mozilla.org/en-US/firefox/addon/573 useful. Whenever you're successful in manipulating the price, the text "Your Order" should change to "Total", otherwise a hacker detection message will be printed. Save the contents of the cookie you use in a file called 1a.txt for submission.

1b. Advanced Cookie Manipulation

Your little brother is amazed at your skillz and wants one too. Hook him up.

The flawed shopping page is located at http://www.dontrythisathome.com/p4/p1/shop2.php. Your task is to buy this item for $24 total. This page behaves the same as the previous exercise, except now the cookie has some security measures built-in - a checksum. Save the contents of the cookie you use in a file called 1b.txt for submission.

Part 2. Get Fame - For the Love of the Game

As an honorable black hat, there are at least two rules you must follow:

• Black Hat Rule #1: Gotta have your postdoc's back
• Black Hat Rule #2: It's all for the love of the game

Light, your postdoc, is involved an intense popularity poll battle, yo. Help him out by exploiting a flaw in the poll that allows a single person to vote multiple times. Remember, it's all for the love of the game.

The poll is located at http://www.dontrythisathome.com/p4/p2/poll1.php

• The first thing you should do is figure out how the poll works and how you can bypass its check that prevents you from voting more than once. This doesn't require any code, just play around with your browser.
• Hint #1 View the source and ask yourself why everything in there exists? Remember, the poll is flawed.
• Hint #2 The javascript in the poll is unrelated to finding out how to bypass the check, it exists for crafting a script.
• Once you're able to figure out how to bypass the check, craft a page that submits as many votes as possible for Light! Note that there is a hard limit. Javascript Time!

Part 3. Get Richer - Mo' Money, Mo' Problems

Why be a poor black hat when you can be a rich black hat? Use your skillz to pay the billz by through clickfraud and manipulation of the general populace!

3a. Click Fraud

Construct a page that should look exactly like http://www.dontrythisathome.com/p4/p3/list.html. However, should a user click anywhere on the page, he will actually be clicking on this image http://www.dontrythisathome.com/p4/p3/ad.php. Note that clicking anywhere on the page should effectively be clicking on the image displayed on ad.php. (Make sure to view source ad.php). Note that clicking on the ad produces text depending on whether or not there was click fraud detected. A click on your webpage should NOT cause click fraud to be detected.

3b. Dance, Minions!

There's a contest to win a cool $1000 at http://www.dontrythisathome.com/p4/p3/contest.php, and you can enter multiple times! Seems like something ripe for a l33t black hat such as yourself. Since you love Light so much, you decide to make a ton of entries into the contest for him. Unfortunately, there's a CAPTCHA on this page, meaning you can't really write an automatic script to enter Light a bajillion times. Time to put the general populace to work! Construct an identical looking contest entry page, such that the form submission actually submits an entry for you while having a member of the general populace, henceforth known as lemming, solve the CAPTCHA for you. Submitting the form should display the same success message (use a hidden div).

Challenge Problem: Everlasting Fame (Optional)

Help Light win the poll again. This is moderately difficult, and you don't get extra credit for figuring out, but you will become immortalized on the CS142 Website for solving this problem. Craft a page to exploit a flaw in the poll to Light's advantage. Make sure Light wins. Please email the TA's the solution when you finish this proble, and we will post you on the webpage in order of who finishes first. http://www.dontrythisathome.com/p4/jedi-apprentice/poll2.php

People that found unexpected flaws (Chronological order)

• Christopher De Sa: negative values
• James Mao: validation error
• Eric Lovett: session injection

Deliverables

Create files named 1a.txt, 1b.txt, 2.html, 3a.html, 3b.html, and optionally 4.html Each file is worth up to 3 points. You must also include a separate README file that includes a detail of how much time you spent on each part and how hard it was for you (too easy, easy, good, hard, too hard). Feel free to add any feedback you have on the assignment, and any other things you need to tell us about your assignment that will help us to improve it. Submit your project using the standard class submission mechanism.

We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.

Section Material

These will be up Friday after section

Here are the slides and the source file from this week's section:

• Slides