CS142: Web Programming and Security

Project 5: V for Vendetta

Due: Wednesday, February 11, 2009, 11:59pm

Introduction

Having successfully gotten rich (as opposed to the alternative in project 4), you have long since ended your illustrious World of Warcraft career. Realizing that money isn't the most important thing in this world (you sentinmental black hat you!), you attempt to rejoin your homies, aka your Warcraft guild. You guys go way back, yo. Unfortunately, upon attempting reentry into their ranks, you discover that your guild has banned you because you were inactive for so long (makin' that chedda'), and that ruckus you caused in project 3 didn't gain you any favors either. After all you've done for them, this betrayal leaves a bitter taste in your mouth, and now all you focus on is revenge! (notice a theme?)

Since they have effectively destroyed your social life, you are going to destroy theirs. Fortunately, you know their social network, MyWOWSpace1, is built on top of Elgg. They have chosen their battleground. It is time to pwn (own for the uninitiated) them.

Getting ready!

Before you start your rampage, a few words about the assignment.

Introducing Elgg

Elgg is a free open-source social networking platform. Anyone can download Elgg and install it on a web server. The web server needs Apache, MySQL, and PHP. However, Elgg used to contain some security vulnerabilities that can be exploited, vulnerabilities that have been patched. In this assignment, you will exploit some Cross-Site Request Forgery (CSRF) vulnerabilities in two different versions of Elgg. The below attacks are selected to reflect different potential impacts of CSRF vulnerabilities. You will also exploit XSS vulnerabilities in our Elgg plugin.

The Black Hat (and Stanford) Honor Code

Even though the solutions for these CSRF vulnerabilities are on the Internet, we have included them for this project to give you a sample of real vulnerabilities. Any research on Elgg vulnerabilities on the Internet would thus undermine our intention to give you a taste of finding and exploiting real vulnerabilities. Therefore, such research constitutes an honor code violation.

Rules for Deliverables

  • Your solution is an HTML document that the grader will open using the web browser.
  • The grader will be already logged in to both MyWoWSpace1 before loading your page.
  • The document should have no visible trace of forms or anything else used in the attack.
  • Address bar's URL should not change to any URL within MyWoWSpace1.
  • No part of the page should display anything from MyWoWSpace1.
  • Your solution should work with the latest release version of Firefox (Firefox 3.0.x).

Enter the Battleground

Please go to MyWOWSpace1 to register your account. Create an account that you will use as a victim account to test your exploits. It will be great if in the spirit of the project you make a fun profile but you have to use your real first name and last name and not put any inappropriate data on your profile.

Once you create an account take a few minutes to explore the service. Here are some links inside MyWOWSpace1:

Chapter 1: The Return of Fame

First things first, it's time to write an exploit page (1.html) to make yourself the most popular guy on MyWOWSpace1. Use your victim account to test your exploit page.

Like all social networks, MyWoWSpace1 allows you to add friends. However, Elgg's friendship functionality is not protected against CSRF. An attacker can make his victim add an arbitrary friend, including himself.

  • For the purpose of this chapter, pretend that you are Light.
  • The structure of this attack should be:
    1. A victim is logged into MyWoWSpace1
    2. Then open your HTML document. This should cause the victim to make a friend request to you (Light) on MyWoWSpace1.
  • Your exploit page should work without the use of JavaScript. We will turn off JavaScript when we grade.
  • Use a HTML tag as the basic component for this attack

Chapter 2: Restoring the Truth About Your Nemeses

You are not content just to "befriend" everyone. After all, you have no friends and hate everybody. You see the other members of your guild bragging about themselves on their profiles, and desperately want to rewrite their profiles, because the truth about these bums MUST be known! Construct an HTML document to take over their accounts.

  • Elgg's account settings page has a CSRF vulnerability. Exploit this vulnerability to modify your victim's password to cs142.
  • You will have to properly set the hidden fields profile_id and id in the form.
  • This attack needs to work against your victim account and against Light's account.
  • Test it against your victim account to be sure it works.
  • We will test by logging in with Light's account, so make sure your code works for both by doing a double CSRF.

In real life you could have used the previous CSRF to know which username you have just hijacked. While this does not give extra points, you are encouraged to try it to get a better feeling of how real vulnerabilities are exploited. You can also improve your script so it works against any member. If you do one (or all) of these, include the improved file in your submission as 2extra.html.

Chapter 3: Bringing Armageddon With a Side of XSS, Black Hat Style

Some fellow WOW players have been smart enough not to visit your page from Chapter 2. Now you want to get them another way. You have found out that there is an XSS vulnerability in the file upload component. You decide to use it to steal other users' session IDs, which are stored in cookies.

  • Please submit the actual file, 3.xxx, where xxx is an extension you need to guess
  • This time this is an XSS vulnerability
  • The goal is to have a JavaScript alert that display the victim's cookie.
  • Please remove the file as soon as possible so the others are not tempted to copy your solution.

In real life you would have use a CRSF or a DOM modification to steal the data. In the Elgg version used for our project this can be done quite easily by using a CRSF that exist within the mail script. While this does not give extra points you are encouraged to do it to get a better feel of how real vulnerabilities are exploited. If you do include the improved file as 3extra.html.

Challenge Problem: Everlasting Fame Part Deux (Optional - No Extra Credit)

Security is about pushing the limit. So if you think you are a security pro then let's see which of you are the best and deserve the title of apprentice Jedi (Padawan).

Elgg is real software with real vulnerabilities. Plenty of them are unfixed in particular in the old version we have used for the project MyWOWSpace1. So each time you find one you will give you more points. You can use everything you like to find bugs.

You are not authorized to test these vulnerabilities on dontrythisathome.com because it might hurt other students' work. Instead download the two source code bundles for the old version or the new version and run them on your computer or a VM.

At the end of the week we will publish the ranking on the CS142 website. Because we are working on real software you are not allowed to share or disclose any of the vulnerabilities you find. Instead you report them to Tom as soon as you find them along with the exploit code and the browser on which they work.

We will compile your findings and make sure they will be patched and disclosed in a timely fashion with your name associated to it. So you will serve the light side of the force :)

The winner will be the one that will have the most points based on the following rating:

Vulnerabilities found in the old version

  • CSRF vulnerabilities: 1 point
  • XSS vulnerabilities: 2 points
  • Other vulnerabilities: 3 points

Vulnerabilities found in the new version

  • CSRF vulnerabilities: 10 point
  • XSS vulnerabilities: 20 points
  • Other vulnerabilities: 30 points

Deliverables

Create files named 1.html, 2.html, 3.xxx, and some e-mails to Tom :)

You must also include a separate README file that includes details of how much time you spent on each part and how hard it was for you (too easy, easy, good, hard, too hard). Feel free to add any feedback you have on the assignment, and any other things you need to tell us about your assignment that will help us improve it. Submit your project using the standard class submission mechanism.

We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.

Section Material

Here are the section notes.