Project 5: V for Vendetta
Due: Wednesday, February 11, 2009, 11:59pm
Introduction
Having successfully gotten rich (as opposed to the alternative in project 4), you have long since ended your illustrious World of Warcraft career. Realizing that money isn't the most important thing in this world (you sentinmental black hat you!), you attempt to rejoin your homies, aka your Warcraft guild. You guys go way back, yo. Unfortunately, upon attempting reentry into their ranks, you discover that your guild has banned you because you were inactive for so long (makin' that chedda'), and that ruckus you caused in project 3 didn't gain you any favors either. After all you've done for them, this betrayal leaves a bitter taste in your mouth, and now all you focus on is revenge! (notice a theme?)
Since they have effectively destroyed your social life, you are going to destroy theirs. Fortunately, you know their social network, MyWOWSpace1, is built on top of Elgg. They have chosen their battleground. It is time to pwn (own for the uninitiated) them.
Getting ready!
Before you start your rampage, a few words about the assignement.Introducing Elgg
Elgg is a free open-source social networking platform. Anyone can download Elgg and install it on a web server. The web server needs Apache, MySQL, and PHP. However, Elgg used to contain some security vulnerabilities that can be exploited, vulnerabilities that have been patched. In this assignment, you will exploit some Cross-Site Request Forgery (CSRF) vulnerabilities in two different versions of Elgg. The below attacks are selected to reflect different potential impacts of CSRF vulnerabilities. You will also exploit XSS vulnerabilities in our Elgg plugin.
The Black Hat (and Stanford) Honor Code
Even though the solutions for these CSRF vulnerabilities are on the Internet, we have included them for this project to give you a sample of real vulnerabilities. Any research on Elgg vulnerabilities on the Internet would thus undermine our intention to give you a taste of finding and exploiting real vulnerabilities. Therefore, such research constitutes an honor code violation.
Rules for Deliverables
- Your solution is an HTML document that the grader will open using the web browser.
- The grader will be already logged in to both MyWoWSpace1 and MyWoWSpace2 with administrator privileges before loading your page.
- You do not know the user ID of the victim in advance, so you cannot hard-code the user ID in your solution.
- The document should have no visible trace of forms or anything else used in the attack.
- Address bar's URL should not change to any URL within MyWoWSpace1 or MyWoWSpace2.
- No part of the page should display anything from MyWoWSpace1 or MyWoWSpace2.
- Your solution should work with the latest release version of Firefox (Firefox 3.0.x).
- Individual parts have their own requirements. Please double-check!
Enter the Battleground
Please go to MyWOWSpace1 and MyWOWSpace2 to register for accounts. Create an account that you will use as a victim account to test your exploits. Have some fun when you build your own profiles and make friends with each other.
Chapter 1: The Return of Fame
First things first, it's time to write a page to make yourself the most popular guy on MyWOWSpace1. Use your victim account to test your exploit page.
Like all social networks, MyWoWSpace1 allows you to add friends. However, Elgg's friendship functionality is not protected against CSRF. An attacker can make his victim add an arbitrary friend, including himself.
- For the purpose of this chapter, pretend that you are Light.
- The structure of this attack should be: a victim is logged into MyWoWSpace1 and subsequently opens your HTML document, which causes the victim to make a friend request to you (Light) on MyWoWSpace1.
- For this particular attack, you should not use any JavaScript.
Note: In a real attack, you will probably put your attack inside either an individual or group blog inside an Elgg social network, since this tag is allowed by Elgg. JavaScript, however, is generally filtered, making it hard to mount a Cross-Site Scripting (XSS) attack.
Chapter 2: Restoring the Truth About Your Nemeses
You are not content just to "befriend" everyone. After all, you have no friends and hate everybody. You see the other members of your guild bragging about themselves on their profiles, and desperately want to rewrite their profiles, because the truth about these bums MUST be known! Construct an HTML document to take over their accounts.
The requirement for this problem is to write a page that will modify any visitor's password.
- Elgg's account settings page has a CSRF vulnerability. Exploit this vulnerability to modify your victim's password to cs142.
- The difficulty lie in the fact that you do not know the victim's id number in advance (see hidden fields profile_id and id in the form). You need to makes this attack work against any victim.
- Test it against your victim account.
In real life you could have used the previous CSRF to know which username you have just hijacked. You could do so because the username of a person's account is embedded in his or her profile on Elgg.
Chapter 3: Bringing Armageddon With a Side of XSS, Black Hat Style
Some fellow WOW players have been smart enough not to visit your page from Chapter 2. Now you want to get them another way. You have found out that there is an XSS vulnerability in the file upload component. You decide to use it to steal other users session IDs, which are stored in cookies.
Please submit the actual file, 3.xxx, where xxx is an extension you choose, uploaded to exploit the XSS vulnerability (hint hint). For the purpose of this assignment, simply use JavaScript's alert to display the victim's cookie. Please remove the file as soon as possible so that others cannot just copy your solution.
Challenge Problem: Everlasting Fame Part Deux (Optional)
Security is about pushing the limit. So if you think you are a security pro Then let's see which of you are the best and deserve the title of apprentice Jedi (Padawan).
Elgg is real software with real vulnerabilities. Plenty of them are unfixed in particular in the old version we have used for the project MyWOWSpace1. So each time you find one you get point. You can use everything you like to find bug.
You are not authorized to test these vulnerabilities on dontrythisathome.combecause it might hurt other students work. Instead download the two source codes for the old version or the new version and run them on your computer or a VM.
At the end of the week we will publish the ranking on the CS142 website. Because we are working on real software you are not allowed to share or disclose any of the vulnerabilities you find. Instead you report them to Tom as soon as you find them along with the exploit code and the browser on which they work.
We will compile your finding, make sure they will be patched and disclosed in a timely fashion with your name associated to it. So you will serve the bright side of the force :)
The winner will be the one that will have the most points based on the following rating:
MyWOWSpace1 vulnerabilities
- CSRF vulnerabilities: 1 point
- XSS vulnerabilities: 2 points
- Other vulnerabilities: 3 points
MyWOWSpace2 vulnerabilities
- CSRF vulnerabilities: 10 point
- XSS vulnerabilities: 20 points
- Other vulnerabilities: 30 points
Deliverables
Create files named 1.html, 2.html, 3.xxx, and some e-mails to Tom :)
You must also include a separate README file
that includes a detail of how much time you spent on each part and how hard it was for you (too easy, easy, good, hard, too hard).
Feel free to add any feedback you have on the assignment, and any other things you need to tell us about your assignment that will
help us improve it.
Submit your project using the
standard class submission mechanism.
We are asking you to craft attacks to further your understanding of web application security. Do not send your malicious code to unwitting recipients. Please do not post your HTML files publicly.
Section Material
These will be up Friday after section