首页 > > 详细

FIT 3173 Software Security Assignment

FIT 3173 Software Security Assignment II (S1 2019) Total Marks 100 Due on June 1st, 2019, Saturday noon, 11:59:59 1 Overview The learning objective of this assignment is for you to gain first-hand experience in SQL injection attacks and cross-site scripting attacks and get a deeper understanding of how to exploit the vulnerability in realworld web applications. All tasks in this assignment can be done on “SeedVM” as used in labs. 2 Submission Policy You need to submit a lab report to describe what you have done and what you have observed with screenshots whenever necessary; you also need to provide explanation or codes to the observations that are interesting or surprising. In your report, you need to answer all the questions listed in this manual. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-FIT3173-Assignment2, e.g., HarryPotter-12345678-FIT3173-Assignment2.pdf. Then, upload the PDF file to Moodle. Note: the assignment is due on June 1st, 2019, Saturday, 11:59:59 (Firm!). Late submission penalty: 10 points deduction per day. Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. University polices can be found at https://www.monash.edu/students/academic/ policies/academic-integrity 3 SQL Injection Attack – Using SQLi Lab [50 Marks] SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers. The vulnerability is presented when the user’s inputs are not correctly checked within the web applications before sending to the back-end database servers. Many web applications take inputs from users, and then use these inputs to construct SQL queries so that the web applications can pull the information out of the database. Web applications also use SQL queries to store information in the database. These are common practices in the development of web applications. When the SQL queries are not carefully constructed, SQL-injection vulnerabilities can occur. The SQLinjection attack is one of the most frequent attacks on web applications. In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to the SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common mistakes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that can mitigate such attacks. The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL Console by using the following commands: mysql -u root -pseedubuntu show databases; use Users; describe credential; 1 3.1 Task 1: SQL Injection Attack on SELECT Statements [5 Marks] In this task, you need to manage to log into SQLi Lab at www.seedlabsqlinjection.com, without providing a password. You can achieve this by using SQL injection. Normally, before users start using SQLi Lab, they need to login using their user names and passwords. SQLi Lab displays a login window to users and ask them to input username and password. The login window is displayed in the following: The authentication function is implemented by unsafe home.php in the SQLi Lab root directory (i.e., /var/www/SQLInjection/). It uses the user-provided data to find out whether they match with the Username and Password fields of any record in the database. If there is a match, it means the user has provided a correct username and password combination and should be allowed to login. Like most web applications, PHP programs interact with their back-end databases using the standard SQL language. In SQLi Lab, the following SQL query is constructed in unsafe home.php to authenticate users: // create a connection $conn = getDB(); // Sql query to authenticate the user $sql = "SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ’$input_uname’ and Password=’$hashed_pwd’"; // query $result = $conn->query(sql); if (found one record) then {allow the user to login} In the above SQL statement, the variable $input uname holds the string typed in the Username textbox, and $hashed pwd holds the string typed in the Password textbox. User’s inputs in these two textboxes are placed directly in the SQL query string. Q1: There is a SQL-injection vulnerability in the above query. Can you log into another person’s account without knowing the correct password? Explain your solution. Hint: you are not required to 2 change the code. [Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the explanation and solution] 3.2 Task 2: SQL Injection on UPDATE Statements [10 Marks] In this task, you need to make an unauthorised modification to the database. Your goal is to modify another user’s profile using SQL injections. In SQLi Lab, if users want to update their profiles, they can click the Edit Profile link on the navigation bar, and then fill out a form to update the profile information. After the user sends the update request to the server, an UPDATE SQL statement will be constructed in unsafe edit backend.php. The objective of this statement is to modify the current user’s profile information in the credential table. There is a SQL injection vulnerability in this SQL statement. Please find the vulnerability, and then use it to do the following task: Q2: Please point out the potential vulnerability, and explain how to achieve a SQL Injection attack by utilising it. [Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the explanation] Q3: Change another user’s profile without knowing his/her password. For example, if you are logged in as Alice, your goal is to use the vulnerability to modify Ted’s profile information (at least three items), including Ted’s password. After the attack, you should be able to log into Ted’s account. Explain your solution, and provide the screenshots to support your ideas. Hint: the passwords stored in the database are hashed (SHA1). If you incorrectly modify the user name or password, you can recover by directly accessing the MySQL. [Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the explanation and solutions] 3.3 Task 3: Countermeasure for UPDATE Statements[10 Marks] In this task, you need to enable the prepared statement as a countermeasure against the SQL injection attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1. $sql = "SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ’$input_uname’ and Password=’$hashed_pwd’"; You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks: $stmt = $conn->prepare("SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ? and Password= ?"); $stmt->bind_param("ss", $input_uname, $hashed_pwd); $stmt->execute(); $stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn, $phoneNumber, $address, $email, $nickname, $pwd); $stmt->fetch(); $stmt->close(); Q4: Following the above steps to fix the SQL injection vulnerability of UPDATE statement on the Edit Profile page. Then, check whether you can still exploit the vulnerability or not. Provide your code, and briefly explain your solution with screenshots. Hint: the UPDATE statement is located in 3 unsafe edit backend.php. [Marking scheme: 5 marks for the screenshot and 5 marks for the explanation and solutions] 3.4 Task 4: Second-order Attacks [25 Marks] In this task, you need to perform second-order attacks to achieve different adversarial goals. Unlike direct injection flaws that execute injected queries immediately, second-order attacks delay the execution until a later time. This means a malicious user can first inject a query fragment into a query as a trusted source. Then, the injected SQL will be executed in a secondary query that is vulnerable to SQL injection. We have extended SQLi Lab to assist you in exploring second-order attacks and completing this task. You need to download all PHP source files of unsafe home.php, unsafe edit frontend.php, unsafe task load.php, unsafe view order.php, and unsafe tasks view.php from Moodle and place them to the same website’s directory. For instance, you can follow a below command to copy the file unsafe home.php located in /home/seed/Documents to that website’s directory. $ su root Password: (enter root password "seedubuntu") # cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/ We also upgraded the database of SQLi Lab to enrich the website’s features. That are, a user can add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a database script file, script.sql, from Moodle and execute it with MySQL Console before you can use these new features. For instance, you can follow the below commands to execute that script when it is stored in /home/seed/Documents. The execution will update your database schema and insert new data as follows: mysql -u root -pseedubuntu show databases; use Users; source /home/seed/Documents/script.sql  Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only existing users in the table credential can create new tasks. You can use the command describe tasks; to know more information about this table scheme.  Table preference(PreferenceID,favourite,Owner) records the task sort preference of users, in which preference(Owner) is a foreign key referring to credential(ID). Existing users can select one of the task information as their sorting favourite. For instance, a following figure demonstrates how Alice can set her perference as Hours increasing. You can use the command describe preference; to know more information about this table scheme. 4  Function userIdMaxTasks() returns the ID of an user who has the maximum number of tasks in your database. In MySQL console, you can use the command select userIdMaxTasks(); to retrieve that result.  Function generateRandomUser() adds a new random user (with random Name and Password to the table credential). In MySQL console, you can use the command select generateRandomUser(); to perform this addition.  Function getNewestUserId() returns the ID of a newly created user in the table credential.  Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of other users to the user having that userID. You need to make sure the user with that userID exists in the table credential before using this stored procedure. For instance, in MySQL console, you can use the command call copyTasksToUser(6); to copies all tasks of other users to an existing user with userID=6. Q5: In a normal scenario, a user can add a new task multiple times and update his/her view preference with sorting by asc or desc. However, the website is vulnerable to the second-order attacks when the user views all tasks. You can choose one of the following options to complete this task. Note that, you will get 0 mark if you complete the task by not performing the second-order attack (i.e. manipulate the database manually in MySQL console). Option 1 (5 marks): You need to perform the attack to display all the tasks of the user who has the maximum number of tasks when you view your tasks. [Marking scheme: 5 marks only given if you have a solid demonstration and explanation about how you inject queries and the attack works in your case.] If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note that, the second table in the figure displays the tasks of that victim. 5 Option 2 (15 marks): You need to perform a sequence of the second-order attacks in order to transfer all the tasks of users to a new malicious user that you created. Note that creating that malicious user also has to be done by using the second-order attack. [Marking scheme: 15 marks only given if you have a solid demonstration and explanation about how you inject queries and the attack works in your case to achieve that adversarial goal.] If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note that, the second table in the figure displays the malicious user who has the maximum number of tasks. The first table is blank due to no task remains for Ted user. Q6: (5 marks) This opening question is independent from your selected option in Q5. In this question, you need to perform a second-order attack on SQLi Lab to attack the performance of your MySQL server.. [Marking scheme: 5 marks only given if you have a solid demonstration and 6 Table 1: User credentials User UserName Password Admin admin seedelgg Alice alice seedalice Boby boby seedboby Charlie charlie seedcharlie Samy samy seedsamy explanation about how you inject queries and the attack works in your case.]. Hint: you can delay the query execution or shut down your MySQL server when an user views his/her declared tasks. Q7: (5 marks): Provide your theoretical mitigation solution against the second-order attacks in your selected option of Q5. You do not need to change the PHP source files for this question. [Marking scheme: 5 marks only given if you have a solid explanation.] 4 Cross-Site Scripting (XSS) Attack – Using Elgg [50 Marks] Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into the victim’s web browser. Using this malicious code, attackers can steal a victim’s credentials, such as session cookies. The access control policies (i.e., the same origin policy) employed by the browsers to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vulnerability by posting some malicious messages to their profiles; users who view these profiles will become victims. 4.1 Environment Configuration This lab can only be conducted in the SEEDUbuntu 16.04 VM, because of the configurations that we have performed to support this lab. In this part, we need three things, are of which are already installed in the provided VM image: (1) the Firefox web browser, (2) the Apache web server, and (3) the Elgg web application. For the browser, you need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses. The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extensions. Elgg Web Application. We use an open-source web application called Elgg in this part. Elgg is a web-based social-networking application. It is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server, and the credentials are given in Table 1. 7 DNS Configuration. We have configured the following URL needed for this lab. The folder where the web application is installed and the URL to access this web application are described in the following: URL: http://www.xsslabelgg.com/ Folder: /var/www/XSS/Elgg The above URL is only accessible from the inside of the virtual machine because we have modified the /etc/hosts file to map the domain name of each URL to the virtual machine’s local IP address (127.0.0.1). You may map any domain name to a particular IP address using /etc/hosts. For example, you can map http://www.example.com to the local IP address by appending the following entry to /etc/hosts: 127.0.0.1 www.example.com If your web server and browser are running on two different machines, you need to modify /etc/hosts on the browser’s machine accordingly to map these domain names to the web server’s IP address, not to 127.0.0.1. Apache configuration. In our pre-built VM image, we used Apache server to host all the web sites used in the lab. The name-based virtual hosting feature in Apache could be used to host several web sites (or URLs) on the same machine. A configuration file named 000-default.conf in the directory ”/etc/apache2/sitesavailable” contains the necessary directives for the configuration: Inside the configuration file, each web site has a VirtualHost block that specifies the URL for the web site and directory in the file system that contains the sources for the web site. The following examples show how to configure a website with URL http://www.example1.com and another website with URL http://www.example2.com: ServerName http://www.example1.com DocumentRoot /var/www/Example1 ServerName http://www.example2.com DocumentRoot /var/www/Example2 You may modify the web application by accessing the source in the mentioned directories. For example, with the above configuration, the web application http://www.example1.com can be changed by modifying the sources in the /var/www/Example1/ directory. After a change is made to the configuration, the Apache server needs to be restarted. See the following command: $ sudo service apache2 start 4.2 Task 1: Posting a Malicious Message to Display an Alert Window [10 Marks] The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window: 8 If you embed the above JavaScript code in your profile (e.g. in the brief description field), then any user who views your profile will see the alert window. In this case, the JavaScript code is short enough to be typed into the brief description field. If you want to run a long JavaScript, but you are limited by the number of characters you can type in the form, you can store the JavaScript program in a standalone file, save it with the .js extension, and then refer to it using the src attribute in the In the above example, the page will fetch the JavaScript program from http://www.example.com, which can be any web server. Q1: Try to fetch the JavaScript from the sever you configured and describe your observation, and provide the screenshot to show the alert. Hint: You need to setup a server (e.g. www.example.com) and put the above JavaScript there. You can modify one user’s profile (e.g., alice), and view his/her profile by admin. [Marking scheme: 5 marks for the screenshot and 5 marks for the explanation and solutions] 4.3 Task 2: Stealing Cookies from the Victim’s Machine [10 Marks] The objective of this task is to steal the cookies from the victim’s machine. First, you can embed a JavaScript program in your Elgg profile, such that when another user views your profile, the user’s cookies will be displayed in the alert window. This can be done by adding some additional code to the JavaScript program in the previous task: The malicious JavaScript code written by the attacker can print out the user’s cookies, but only the user can see the cookies, not the attacker. In this task, the attacker wants the JavaScript code to send the cookies to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the attacker, with the cookies appended to the request. We can do this by having the malicious JavaScript insert an tag with its src attribute set to the attacker’s machine. When the JavaScript inserts the tag, the browser tries to load the image from the URL in the src field; this results in an HTTP GET request sent to the attacker’s machine. The JavaScript given below sends the cookies to the port 5555 of the attacker’s machine (with IP address 10.1.2.5), where the attacker has a TCP server listening to the same port. A commonly used program by attackers is netcat (or nc) , which, if running with the ”-l” option, becomes a TCP server that listens for a connection on the specified port. This server program basically prints out whatever is sent by the client and sends to the client whatever is typed by the user running the server. Type the command below to listen on port 5555: 9 $ nc -l 5555 -v The ”-l” option is used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. The ”-v” option is used to have nc give more verbose output. The task can also be done with only one VM instead of two. For one VM, you should replace the attacker’s IP address in the above script with 127.0.0.1. Start a new terminal and then type the nc command above. Q2: Accomplish the above attack, and use the TCP server program to detect the fetched cookie. Describe your observation, and provide the screenshot to support your ideas. Hint: the IP address in your local host can be set 127.0.0.1. [Marking scheme: 5 marks for the screenshot and 5 marks for the explanation and solutions] 4.4 Task 3: Modifying the Victim’s Profile [10 Marks] The objective of this task is to modify the victim’s profile when the victim visits Samy’s page. You will write an XSS worm to complete the task. This worm does not self-propagate; in task 4, we will make it self-propagating. You need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s browser, without the intervention of the attacker. To modify the profile, you should first find out how a legitimate user edits or modifies his/her profile in Elgg. More specifically, you need to figure out how the HTTP POST request is constructed to modify a user’s profile. You can use Firefox’s HTTP inspection tool. Once you understand how the modify-profile HTTP POST request looks like, you can write a JavaScript program to send out the same HTTP request. We provide you the following JavaScript template to help you complete this task. 10 The above code should be placed in the ”About Me” field of Samy’s profile page. This field provides two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the text typed into the field, while the Text mode does not. Since we do not want any extra code added to our attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be done by clicking on ”Edit HTML”, which can be found at the top right of the ”About Me” text field. Q3: 1) Accomplish the above attack and describe your observation, and provide the screenshot to support your ideas. 2) Please explain line 1, 2, and 3? Remove line 3, and repeat your attack. Report and explain your observation. Hint: You may use HTTP inspection tool to see the HTTP request look like. [Marking scheme: 1) 5 marks for the screenshot and 5 marks for the explanation and solutions, 2) 2 marks for screenshot and 3 marks for the explanation and solutions] 4.5 Task 4: Writing a Self-Propagating XSS Worm [15 Marks] In this task, you need to create an advanced XSS worm that can propagate itself. Namely, whenever some people view an infected profile, not only will their profiles be modified, the worm will also be propagated to their profiles, further affecting others who view these newly infected profiles. We provide an example JavaScript code to assist you to finish this task. You can download the example self-propagate-worm.js on Moodle. The malicious code uses DOM APIs to retrieve a copy of itself from the web page, and sends HTTP POST requests to modify the others profile. You should try to embed this code into the malicious user’s (i.e. Samy) profile in order to accomplish the above attack. Q4: You can directly embed the code into Samy’s profile to accomplish the attack. However, some real-world web applications implement some counter-measures to sanitise the input. You can choose one of the following options to complete this task. Option 1 (5 marks): You need to fill the “About Me” field in Samy’s profile with the malicious code (see the figure below), and use Alice’s account to access Samy’s page to see what happened. Then, try to use Boby’s account to access Alice’s page. Explain your observation, and provide the screenshots to support your ideas. [Marking scheme: 2 marks for the screenshot and 3 marks for the explanation and solutions] Option 2 (15 marks): 1) Substitute the “Edit Profile” with a secure version and try to fill the “About Me” field in Samy’s profile with the malicious code and describe your observation, and provide the screenshots to support your ideas. 2) try to conduct the Self-Propagating XSSWorm attack in the new “Edit Profile”, brief explain your solution with sufficient screenshots. [Marking scheme: 1) 2 marks for screenshot and 3 marks for the observation, 2) 5 marks for the screenshot and 5 marks for the explanation and solutions] We have provide the secure “Edit Profile” to help you finish the first sub-task. You can download the file Edit.php on Moodle and use it to substitute the Edit.php in /var/www/XSS/Elgg/vendor/elgg/elgg/actions/. After doing so, reboot the Apache server 11 by using the following command: $ sudo service apache2 start Now the “Edit Profile” in Elgg website is secured by some input filtering mechanisms. For the sub-task 2, we provide another self-propagating XSS worm script (i.e. self-propagate-worm2.js on Moodle). As the