CS155: Project 2 - Web Security

Spring 2010

Due: Part 1: Monday, May 3. Part 2: Monday, May 10.

Further clarifications and hints will be posted in the FAQ

Section 1 Slides [pdf]

Section 2 Slides [pdf]

Part 1. Attacks

The fictional "Zoobar Foundation" is has set up a simple web application at zoobar.org, allowing registered users to post profiles and transfer "zoobar" credits between each other. Each registered user starts with 10 zoobars.

You will craft a series of attacks on zoobar.org that exploit vulnerabilities in the website's design. Each attack presents a distinct scenario with unique goals and constraints, although in some cases you may be able to re-use parts of your code.

Although many real-world attackers do not have the source code for the web sites they are attacking, you are one of the lucky ones: source code is available. You won't actually need to look at the site's source code until Part 2, but it's there if you get stuck.

Your attacks will run in a restricted network environment that can only connect to zoobar.org and crypto.stanford.edu. We will run your attacks after wiping clean the database of registered users (except the user named "attacker"), so any data you submitted to zoobar.org while working on the assignment will not be present during grading. We reserve the right to delete users from the zoobar.org database at any time if it gets too large, so please keep local copies of any important data you submit there.

Setup

Mozilla Firefox. We will grade your project with default settings using the latest official release of the Mozilla Firefox browser at the time the project is due. We chose this browser for grading because it is widely available and can run on a variety of operating systems. There are subtle quirks in the way HTML and JavaScript are handled by different browsers, and some attacks that work in Internet Explorer (for example) may not work in Firefox. In particular, you should use the Mozilla way of adding listeners to events. We recommend that you test your code on Firefox before you submit, to ensure that you will receive credit for your work.

Email script. For Attacks A and C, you will need a server-side script to automatically email information captured by your client-side JavaScript code to the TAs for grading. We have provided this script for you. Please review the instructions at http://crypto.stanford.edu/cs155/hw_and_proj/proj2/sendmail.php and use that URL in your attack scripts to send emails. You may send as many emails as you like while working on the project, but please do not attack or abuse the email script.

Attack A. Cookie Theft

• Your solution is a URL starting with http://zoobar.org/users.php?
• The grader will already be logged in to zoobar.org before loading your URL.
• Your goal is to steal the document cookie and email it to yourself using the email script.
• Except for the browser address bar (which can be different), the grader should see a page that looks exactly as it normally does when the grader visits users.php. No changes to the site appearance or extraneous text should be visible. Avoiding the red warning text is an important part of this attack. (It's ok if the page looks weird briefly before correcting itself.)
• Hint: Here is an example attack to use as a starting point.

Attack B. Cross-Site Request Forgery

• Your solution is a short HTML document that the grader will open using the web browser.
• The grader will already be logged in to zoobar.org before loading your page.
• Transfer 10 zoobars from the grader's account to the "attacker" account. The browser should be redirected to http://crypto.stanford.edu/cs155/ as soon as the transfer is complete (so fast the user might not notice).
• The location bar of the browser should not contain zoobar.org at any point.

Attack C. Side Channels and Phishing

• Your solution is an HTML document that the grader will open using the web browser.
• The grader will run the code once while logged in to zoobar.org before loading your page.
• The grader will run the code a second time while not logged in to zoobar.org before loading your page.
• When the browser loads your document, the document should sniff out whether the user is logged into zoobar.org
• If the user is not logged in, present a html document visibly identical to the zoobar login page (this should be self contained in the html file you turn in)
  • When the "Log in" button is pressed, send the username and password (separated by a comma) using the email script.
  • Once the email is sent, log the user into the real zoobar.org website (the URL should change to something at zoobar.org).
  • The behavior for the Register button is left unspecified
• If the user is logged in then forward to Attack B described above.
• Hint: The same origin policy does not allow you to access the documents of another domain loaded into an iframe. What types of files can be directly accessed by another domain?

Attack D. Profile Worm

• Your solution is a profile that, when viewed, transfers 1 zoobar from the current user to a user called "attacker" (that's an actual username) and replaces the profile of the current user with itself.
• Your malicious profile may include a witty message to the grader (optional, but it helps us see that it replicated).
• To grade your attack, we will cut and paste the submitted profile file into the profile of the "attacker" user and view that profile using the grader's account. We will then view the copied profile with more accounts, checking for the transfer and replication.
• The transfer and replication should be reasonably fast (under 15 seconds). During that time, the grader will not click anywhere.
• During the transfer and replication process, the browser's location bar should remain at http://zoobar.org/users.php?user=username, where username is the user whose profile is being viewed. The visitor should not see any extra graphical user interface elements (e.g. frames), and the user whose profile is being viewed should appear to have 10 zoobars.
• You will not be graded on the corner case where the user viewing the profile has no zoobars to send.
• Hint: The site allows a sanitized subset of HTML in profiles, but you can get around it. This MySpace vulnerability may provide some inspiration.

Extra Fun (Optional and not extra credit). Password Theft

• Your solution is a short HTML document that the grader will open using the web browser.
• The grader will not be logged in to zoobar.org before loading your page.
• Upon loading your document, the browser should immediately be redirected to http://zoobar.org/. The grader will enter a username and password and press the "Log in" button.
• When the "Log in" button is pressed, send the username and password (separated by a comma) using the email script.
• The login form should appear perfectly normal to the user. No extraneous text (e.g. warnings) should be visible, and assuming the username and password are correct the login should proceed the same way it always does.
• Hint: The site uses htmlspecialchars() to sanitize the reflected username, but something is not quite right.

Deliverables

Create files named a.txt, b.html, c.html, d.txt, and if you are doing the extra fun section ef.html, containing each of your attacks. You should include the ID file the submit script asks for, and you may also include a separate README file (we would appreciate any feedback you may have on this assignment). Submit your project as pp2.part1 using /usr/class/cs155/bin/submit.

Grading

Beware of Race Conditions: Depending on how you write your code, all four of these attacks attacks could potentially have race conditions that affect the success of your attacks. Attacks that fail on the grader's browser during grading will receive less than full credit. To ensure that you receive full credit, you should wait after making an outbound network request rather than assuming that the request will be sent immediately.

Part 2: Defenses

Now that you've figured out how to hack the site, it's time to don your white hat and fix the vulnerabilities.

Setup

Web server. You will need a web server that can run PHP scripts while you are working on the second part of the assignment. We'll be testing your attacks on the grader's CGI-enabled Stanford personal web space, so we recommend that you use the same configuration to ensure that your web site will work. You will need to enable CGI on your Stanford account by following these instructions. Activation may take up to 24 hours, so be sure to get a head start.

Project files. Once you have CGI-enabled your personal web space, run the following command from a Leland machine to install the project website on your personal web space.

cp -r /usr/class/cs155/projects/pp2/zoobar ~/cgi-bin

SQL database. The website uses a flat file SQL database called txt-db-api to manage persistent user state. The database engine needs to be able to write to your db folder, so run this command to give it access:

fs setacl ~/cgi-bin/zoobar/db system:cgi-servers write

Your site can now be accessed at http://cgi.stanford.edu/~yourusername/zoobar/.

Goals

• Prevent Attacks A, B, C, D, and Extra Fun (Yes you must prevent his attack as well, even though you didn't exploit it yourself).
• Secure the site against any other cross-site scripting vulnerabilities you find.
• Secure the site against any other cross-site request forgery vulnerabilities you find.
    (Exception: You don't need to prevent attacks that merely force users to log out without their permission.)
• For defending against attack C:
  • Somehow figure out how to stop leaking the information that tells if the user is logged in
  • Do some browser history sniffing yourself to determine if the user has visited: http://crypto.stanford.edu/cs155/hw_and_proj/proj2/bad.html. If so then display a warning on the login page telling the user that their data may have been phished.
• Do not change the site's appearance or behavior on normal inputs, except for the sniffing defense for Attack C

Non-Goals

Do not add new files. Do not edit the files in the includes/ directory. Do not add new database tables or columns.

You will not receive credit for fixing any of the following issues: SQL injection vulnerabilities, attacks by other sites hosted on cgi.stanford.edu, database race conditions, buffer overflows, attacks that only work when register_globals is on, or lack of HTTPS.

There are no specific requirements for error messages on bad input. You can sanitize the input or simply die(), as long as you note your decision in the README file. Sanitizing is probably the more user-friendly option.

Deliverables

Submit the four files in the root directory of your site: index.php, users.php, transfer.php, login.php, and zoobars.js.php. Include the usual ID file. Also include a README file (required) with a one-sentence description of each change you made, and what types of user input (if any) will cause your site to refuse requests or show error messages.

Submit your project as pp2.part2 using /usr/class/cs155/bin/submit.

Honor code

In Part 1 of this assignment, we are asking you to craft attacks to further your understanding of web application security and the consequences of poor input validation. It is highly illegal and unethical to send malicious code to unwitting recipients. Do not distribute your attacks outside your group, and choose non-obvious usernames on zoobar.org so that other groups will not accidentally stumble upon your work.

An important aspect of the project is discovering the additional cross-site scripting vulnerabilities in Part 2, so we ask that you do not assist other groups in finding these vulnerabilities. Do not connect to the websites that other groups have set up for Part 2.