FIT 3173 Software Security Assignment II (S1 2021) Total Marks 100 Due on May 26, 2021, Wednesday, 23:59:59 1 Overview The learning objective of this assignment is for you to gain a first-hand experience on SQL injection attacks and cross-site scripting attacks and get a deeper understanding on how to exploit the vulnerability in real- world web applications. All tasks in this assignment can be done on “SeedVM” as used in labs. 2 Submission Policy You need to submit a lab report to describe what you have done and what you have observed with screen shots whenever necessary; you also need to provide explanation on how the attacks work or codes to the observations that are interesting or surprising. In your report, you need to answer all the questions listed in this manual. Please answer each question using at most 100 words. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]- FIT3173-Assignment2, e.g., HarryPotter-12345678-FIT3173-Assignment2.pdf. All source code if required should be embedded in your report. In addition, if a demonstration video is required, you should record your screen demonstration with your voice explanation and upload the video to your Monash Google Drive. The shared URL of the video should be mentioned in your report wherever required. You can use this free tool to make the video:https://monash-panopto.aarnet.edu.au/ ; other tools are also fine. Then, please upload the PDF file to Moodle. Note: the assignment is due on May 26, 2021, Wednesday midnight, 23:59:59. Late submission penalty: 10 points deduction per day. If you require a special consideration, the application should be submitted to the central university. Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. University polices can be found at https://www.monash.edu/students/academic/policies/academic-integrity. 3 SQL Injection Attack – Using SQLi Lab [50 Marks] SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web ap- plications and database servers. The vulnerability is presented when user’s inputs are not correctly checked within the web applications before sending to the back-end database servers. Many web applications take inputs from users, and then use these inputs to construct SQL queries, so the web applications can pull the information out of the database. Web applications also use SQL queries to store information in the database. These are common practices in the development of web applications. When the SQL queries are not carefully constructed, SQL-injection vulnerabilities can occur. SQL-injection attacks is one of the most frequent attacks on web applications. In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to the SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common mistakes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that can mitigate such attacks. 1 The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL Console by using following commands: mysql -u root -pseedubuntu show databases; use Users; describe credential; 3.1 Task 1: SQL Injection Attack on SELECT Statements [5 Marks] In this task, you need to manage to log into SQLi Lab at www.seedlabsqlinjection.com, without providing a password. You can achieve this by using SQL injection. Normally, before users start using SQLi Lab, they need to login using their user names and passwords. SQLi Lab displays a login window to users and ask them to input username and password. The login window is displayed in the following: The authentication function is implemented by unsafe home.php in the SQLi Lab root directory (i.e., /var/www/SQLInjection/). It uses the user-provided data to find out whether they match with the Username and Password fields of any record in the database. If there is a match, it means the user has provided a correct username and password combination, and should be allowed to login. Like most web applications, PHP programs interact with their back-end databases using the standard SQL language. In SQLi Lab, the following SQL query is constructed in unsafe home.php to authenticate users: // create a connection $conn = getDB(); // Sql query to authenticate the user $sql = "SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ’$input_uname’ and Password=’$hashed_pwd’"; // query $result = $conn->query(sql); if (found one record) then {allow the user to login} In the above SQL statement, the variable $input uname holds the string typed in the Username textbox, and $hashed pwd holds the string typed in the Password textbox. User’s inputs in these two textboxs are placed directly in the SQL query string. 2 There is a SQL-injection vulnerability in the above query. Can you log into another person’s account without knowing the correct password? Explain your solution. Hint: you are not required to change the code. [Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the explanation of why the attack works of the solution] Question 1 3.2 Task 2: SQL Injection on UPDATE Statements [10 Marks] In this task, you need to make an unauthorised modification to the database. Your goal is to modify another user’s profile using SQL injections. In SQLi Lab, if users want to update their profiles, they can click the Edit Profile link on the navigation bar, and then fill out a form to update the profile information. After the user sends the update request to the server, an UPDATE SQL statement will be constructed in unsafe edit backend.php. The objective of this statement is to modify the current user’s profile information in the credential table. There is a SQL injection vulnerability in this SQL statement. Please find the vulnerability, and then use it to do the following task: Please point out the potential vulnerability, and explain how to achieve a SQL Injection attack by utilizing it. [Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the explanation] Question 2 Change another user’s profile without knowing his/her password. For example, if you are logged in as Alice, your goal is to use the vulnerability to modify Ted’s profile information (at least three items), including Ted’s password. After the attack, you should be able to log into Ted’s account. Explain your solution focusing also on how and why the attack works, and provide the screen shots to support your ideas. Hint: the passwords stored in database are hashed (SHA1). If you incorrectly modify the user name or password, you can recover by directly accessing the MySQL. [Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the explanation of solutions] Question 3 3.3 Task 3: Countermeasure for UPDATE Statements[10 Marks] Setup Remark: You need to set the read/write permission for the seed user on the current website directory before doing this task by following the below commands on your terminal. Note that the . is important to indicate the path to the current directory. $ cd /var/www/SQLInjection/ $ sudo chmod -R 777 . 3 In this task, you need to enable the prepared statement as a countermeasure against the SQL injection attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1. $sql = "SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ’$input_uname’ and Password=’$hashed_pwd’"; You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks: $stmt = $conn->prepare("SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE name= ? and Password= ?"); $stmt->bind_param("ss", $input_uname, $hashed_pwd); $stmt->execute(); $stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn, $phoneNumber, $address, $email, $nickname, $pwd); $stmt->fetch(); $stmt->close(); Follow the above steps to fix the SQL injection vulnerability of UPDATE statement on the Edit Profile page. Then, check whether you can still exploit the vulnerability or not. Provide your code, and briefly explain your solution with screenshots. Hint: the UPDATE statement is located in unsafe edit backend.php. [Marking scheme: In your report, 5 marks for the screenshot and 5 marks for the explanation of the solutions] Question 4 3.4 Task 4: Second order Attacks [25 Marks] In this task, you need to perform second order attacks to achieve different adversarial goals. Unlike direct injection flaws that execute injected queries immediately, second order attacks delay the execution until a later time. This means a malicious user can first inject a query fragment into a query as a trusted source. Then, the injected SQL will be executed in a secondary query that is vulnerable to SQL injection. We have extended SQLi Lab to assist you in exploring second order attacks and completing this task. You need to download all PHP source files of unsafe home.php, unsafe edit frontend.php, unsafe task load.php, unsafe view order.php, and unsafe tasks view.php from Moo- dle and place them to the same website’s directory. For instance, you can use the following command to copy the file unsafe home.php located in /home/seed/Documents to that website’s directory. $ su root Password: (enter root password "seedubuntu") # cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/ 4 We also upgraded the database of SQLi Lab to enrich the website’s features. These features are the following: a user can add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a database script file, script.sql, from Moodle and execute it with MySQL Console before you can use these new features. For instance, you can follow the following commands to execute that script when it is stored in /home/seed/Documents. The execution will update your database scheme and insert new data as follows: mysql -u root -pseedubuntu show databases; use Users; source /home/seed/Documents/script.sql • Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only existing users in the table credential can create new tasks. You can use the command describe tasks; to know more information about this table scheme. • Table preference(PreferenceID,favourite,Owner) records the task sort preference of users, in which preference(Owner) is a foreign key referring to credential(ID). Existing users can select one of the task information as their sorting favourite. For instance, a following figure demonstrates how Alice can set her perference as Hours increasing. You can use the command describe preference; to know more information about this table scheme. • Function userIdMaxTasks() returns the ID of an user who has the maximum number of tasks in your database. In MySQL console, you can use the command select userIdMaxTasks(); to retrieve that result. • Function generateRandomUser() adds a new random user (with random Name and Password to the table credential). In MySQL console, you can use the command select generateRandomUser(); to perform this addition. • Function getNewestUserId() returns the ID of a newly created user in the table credential. • Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of other users to the user having that userID. You need to make sure the user with that userID exists in the table credential before using this stored procedure. For instance, in MySQL console, you can use the command call copyTasksToUser(6); to copies all tasks of other users to an existing user with userID=6. 5 In a normal scenario, a user can add a new task multiple times and update his/her view preference with sorting by asc or desc. However, the website is vulnerable to the second order attacks when the user views all tasks. Note that, you will get 0 mark if you complete the task by not performing second order attack (i.e. manipulate the database manually in MySQL console). You need to perform a sequence of second order attacks in order to transfer all the tasks of users to a new malicious user that you created. Note that creating that malicious user also has to be done by using the second order attack. More specifically you nee to: • Create malicious user • Copy tasks of all users to the malicious user • Delete the tasks from the other users apart from the malicious one • View the malicious user’s result [Marking scheme: In your recording, 15 marks only given if you have a solid demonstration and explanation about how you inject queries and the attack works in your case to achieve that adversarial goal.]. You also need to provide necessary screenshots in your report as well as a small explanation of why the attack works. Then, you need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. Question 5 If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note that, the second table in the figure displays the malicious user who has the maximum number of tasks. The first table is blank due to no task remains for Ted user. 6 In this question, you need to perform a second order attack on SQLi Lab to attack the perfor- mance of your MySQL server.. [Marking scheme: In your recording, 5 marks only given if you have a solid demonstration and explanation about how you inject queries and the attack works in your case.]. You also need to provide necessary screenshots in your report as well as a small expla- nation on how the attack works. Then, you need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. Hint: you can delay the query execution or shut down your MySQL server when an user views his/her declared tasks. Question 6 Provide your theoretical mitigation solution against the second order attacks in your previous question in the report. You do not need to change the PHP source files for this question. [Marking scheme: 5 marks only given if you have a solid explanation in your report.] Question 7 4 Cross-Site Scripting (XSS) Attack – Using Elgg [50 Marks] Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser. 7 Table 1: User credentials User UserName Password Admin admin seedelgg Alice alice seedalice Boby boby seedboby Charlie charlie seedcharlie Samy samy seedsamy Using this malicious code, attackers can steal a victim’s credentials, such as session cookies. The access control policies (i.e., the same origin policy) employed by the browsers to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web applica- tion named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our instal- lation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vul- nerability by posting some malicious messages to their profiles; users who view these profiles will become victims. 4.1 Environment Configuration This lab can only be conducted in the “SeedVM” we provided, because of the configurations that we have performed to support this lab. In this part, we need three things, are of which are already installed in the provided VM image: (1) the Firefox web browser, (2) the Apache web server, and (3) the Elgg web application. For the browser, you can use the HTTP Header Live extension for Firefox to inspect the HTTP requests and responses. From the Firefox web browser in the VM, you can download and install this extension. Alternatively, you can use the Web developers toolset that Firefox provides (for example the Inspector tool using Ctr+Shift+c keyboard combination, the Console tool and the Network tool). Elgg Web Application. We use an open-source web application called Elgg in this lab. Elgg is a web- based social-networking application. It is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given in Table 1. DNS Configuration. We have configured the following URL needed for this lab. The folder where the web application is installed and the URL to access this web application are described in the following: URL: http://www.xsslabelgg.com/ Folder: /var/www/XSS/Elgg The above URL is is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name of each URL to the virtual machine’s local IP address (127.0.0.1). You may map any domain name to a particular IP address using /etc/hosts. For example, you can map 8 http://www.example.com to the local IP address by appending the following entry to /etc/hosts: 127.0.0.1 www.example.com If your web server and browser are running on two different machines, you need to modify /etc/hosts on the browser’s machine accordingly to map these domain names to the web server’s IP address, not to 127.0.0.1. Apache configuration. In our pre-built VM image, we used Apache server to host all the web sites used in the lab. The name-based virtual hosting feature in Apache could be used to host several web sites (or URLs) on the same machine. A configuration file named 000-default.conf in the directory ”/etc/apache2/sites- available” contains the necessary directives for the configuration: Inside the configuration file, each web site has a VirtualHost block that specifies the URL for the web site and directory in the file system that contains the sources for the web site. The following examples show how to configure a website with URL http://www.example1.com and another website with URL http://www.example2.com: You may modify the web application by accessing the source in the mentioned directories. For example, with the above configuration, the web application http://www.example1.com can be changed by modifying the sources in the /var/www/Example1/ directory. After a change is made to the configuration, the Apache server needs to be restarted. See the following command: $ sudo service apache2 start 4.2 Task 1: Posting a Malicious Message to Display an Alert Window [10 Marks] The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window: If you embed the above JavaScript code in your profile (e.g. in the brief description field), then any user who views your profile will see the alert window. In this case, the JavaScript code is short enough to be typed into the brief description field. If you want to run a long JavaScript, but you are limited by the number of characters you can type in the form, you can store the JavaScript program in a standalone file, save it with the .js extension, and then refer to it using the src attribute in the In the above example, the page will fetch the JavaScript program from http://www.example.com, which can be any web server. Try to fetch the JavaScript from a server. Describe your observation, and provide the screen shot to show the alert. Hint: You need to setup a server (e.g. www.example.com) and put the above JavaScript there. You can use the information provided in section 4.1 ”Environment Configuration”. You can modify one user’s profile (e.g., alice), and view his/her profile by admin. [Marking scheme: In your report, 5 marks for the screenshot and associated description/explanation of the attack. In your recording, 5 marks for the demonstration, and explanation of the solution.] Question 8 4.3 Task 2: Stealing Cookies from the Victim’s Machine [20 Marks] The objective of this task is to steal the cookies from the victim’s machine. First, we can embed a JavaScript program in your Elgg profile (assume that you act as the Samy user), such that when another user views your profile , the user’s cookies will be displayed in the alert window. This can be done by adding some additional code to the JavaScript program in the previous task: The malicious JavaScript code written by the attacker can print out the user’s cookies, but only the user can see the cookies, not the attacker. In this task, the attacker wants the JavaScript code to send the cookies to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the attacker, with the cookies appended to the request. We can do this by having the malicious JavaScript insert an tag with its src attribute set to the attacker’s machine. When the JavaScript inserts the tag, the browser tries to load the image from the URL in the src field; this results in an HTTP GET request sent to the attacker’s machine. The JavaScript given below sends the cookies to the port 5555 of the attacker’s machine (with IP address 10.1.2.5), where the attacker has a TCP server listening to the same port. A commonly used program by attackers is netcat (or nc) , which, if running with the ”-l” option, becomes a TCP server that listens for a connection on the specified port. This server program basically prints out whatever is sent by the client and sends to the client whatever is typed by the user running the server. Type the command below to listen on port 5555: 10 $ nc -l 5555 -v The ”-l” option is used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. The ”-v” option is used to have nc give more verbose output. The task can also be done with only one VM instead of two. For one VM, you should replace the attacker’s IP address in the above script with 127.0.0.1. Start a new terminal and then type the nc command above. Extend the above attack but capturing apart from the cookie, also the user for whom the cookie has been issued by the server. Use the TCP server program to detect the fetched cookie and the associated user. Provide your screenshots and a small description of the attack in your report as well as video demonstration evidence to support and verify that you have performed the attack and it worked successfully. You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. Hint: the IP address in your local host can be set 127.0.0.1. In order to find how to add the username in the attack url, revisit the week 9 lab specifications [Marking scheme: 5 marks for the screenshots and the description of the attack in the report, and 5 marks for the demonstration, and explanation of the solution in the recording] Question 9 Now that the attacker has the cookie and know the user associated with this cookie, the attacker can try to send a blog entry impersonating the captured cookie’s user instead of himself/herself. To do that he writes the blog entry, presses save, captures the appropriate HTTP request and changes in the HTTP request header the cookie (that originally points to the attacker) to the captured cookie of the previous attack. Then the attacker re-sends the HTTP request. Perform this simple attack using as an attacker Samy. You can capture the HTTP request using the HTTP Header Line and modify the cookie accordingly (the HTTP Header Live allow editing the HTTP request and also re-sending it). Does the attack work? Provide screenshots and explain your answer in the report [marking guide: 5 marks for the screenshots and 5 marks for the justification in the report ] Question 10 4.4 Task 3: Overflowing the Administrator with requests [20 Marks] The objective of this task is make one by one all users of the web application to send a message to the Administrator in favor of Samy. The message could request the Administrator to give Samy high privileges. The attack should be an appropriate XSS worm. To achieve this goal, you need to write a malicious JavaScript program that forges HTTP requests di- rectly from the victim’s browser, without the intervention of the attacker. Initially, you should first find out how a legitimate user sends messages (specifically to the Administrator) in Elgg. More specifically, we need to figure out how the HTTP POST request is constructed to send a message. You can use Firefox’s HTTP inspection tool to get the http POST message and it’s structure. Alternatively, you can use the Web development tools that Firefox intrinsically has in it (and more specifically the inspector, the console and the 11 network tools). Once you figure out how how the send message HTTP POST request looks like, a JavaScript program can be written in order to send out the same HTTP request. We provide a skeleton JavaScript code that may aid in completing the task. The above code should be placed in the ”About Me” field of Samy’s profile page. This field provides two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the text typed into the field, while the Text mode does not. Since we do not want any extra code added to our attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be done by clicking on ”Edit HTML”, which can be found at the top right of the ”About Me” text field. Accomplish the above attack, and provide your screenshots in your report and your video demon- stration evidence to support and verify that you have performed the attack and it worked success- fully. You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. Hint: You may use HTTP inspec- tion tool to see how the HTTP request look like. [Marking scheme: 5 marks for the screenshots in the report, and 5 marks for the demonstration, and explanation and solutions in the recording] Question 11 12 Acknowledgement Parts of this assignment are based on the SEED project (Developing Instructional Laboratories for Computer SEcurity EDucation) at the website http://www.cis.syr.edu/˜wedu/seed/index.html. 13