FIT 3173 Software Security Assignment II (S1 2021)
Total Marks 100
Due on May 26, 2021, Wednesday, 23:59:59
1 Overview
The learning objective of this assignment is for you to gain a first-hand experience on SQL injection attacks
and cross-site scripting attacks and get a deeper understanding on how to exploit the vulnerability in real-
world web applications. All tasks in this assignment can be done on “SeedVM” as used in labs.
2 Submission Policy
You need to submit a lab report to describe what you have done and what you have observed with screen
shots whenever necessary; you also need to provide explanation on how the attacks work or codes to the
observations that are interesting or surprising. In your report, you need to answer all the questions listed in
this manual. Please answer each question using at most 100 words. Typeset your report into .pdf format
(make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-
FIT3173-Assignment2, e.g., HarryPotter-12345678-FIT3173-Assignment2.pdf.
All source code if required should be embedded in your report. In addition, if a demonstration video is
required, you should record your screen demonstration with your voice explanation and upload the video
to your Monash Google Drive. The shared URL of the video should be mentioned in your report wherever
required. You can use this free tool to make the video:https://monash-panopto.aarnet.edu.au/ ; other tools
are also fine. Then, please upload the PDF file to Moodle. Note: the assignment is due on May 26, 2021,
Wednesday midnight, 23:59:59.
Late submission penalty: 10 points deduction per day. If you require a special consideration, the
application should be submitted to the central university. Zero tolerance on plagiarism: If you are
found cheating, penalties will be applied, i.e., a zero grade for the unit. University polices can be found at
https://www.monash.edu/students/academic/policies/academic-integrity.
3 SQL Injection Attack – Using SQLi Lab [50 Marks]
SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web ap-
plications and database servers. The vulnerability is presented when user’s inputs are not correctly checked
within the web applications before sending to the back-end database servers.
Many web applications take inputs from users, and then use these inputs to construct SQL queries, so
the web applications can pull the information out of the database. Web applications also use SQL queries
to store information in the database. These are common practices in the development of web applications.
When the SQL queries are not carefully constructed, SQL-injection vulnerabilities can occur. SQL-injection
attacks is one of the most frequent attacks on web applications.
In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to
the SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common
mistakes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection
vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that
can mitigate such attacks.
1
The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL
Console by using following commands:
mysql -u root -pseedubuntu
show databases;
use Users;
describe credential;
3.1 Task 1: SQL Injection Attack on SELECT Statements [5 Marks]
In this task, you need to manage to log into SQLi Lab at www.seedlabsqlinjection.com, without
providing a password. You can achieve this by using SQL injection. Normally, before users start using SQLi
Lab, they need to login using their user names and passwords. SQLi Lab displays a login window to users
and ask them to input username and password. The login window is displayed in the following:
The authentication function is implemented by unsafe home.php in the SQLi Lab root directory
(i.e., /var/www/SQLInjection/). It uses the user-provided data to find out whether they match with
the Username and Password fields of any record in the database. If there is a match, it means the user
has provided a correct username and password combination, and should be allowed to login. Like most web
applications, PHP programs interact with their back-end databases using the standard SQL language. In
SQLi Lab, the following SQL query is constructed in unsafe home.php to authenticate users:
// create a connection
$conn = getDB();
// Sql query to authenticate the user
$sql = "SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
// query
$result = $conn->query(sql);
if (found one record)
then {allow the user to login}
In the above SQL statement, the variable $input uname holds the string typed in the Username textbox,
and $hashed pwd holds the string typed in the Password textbox. User’s inputs in these two textboxs
are placed directly in the SQL query string.
2
There is a SQL-injection vulnerability in the above query. Can you log into another person’s
account without knowing the correct password? Explain your solution.
Hint: you are not required to change the code.
[Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the explanation
of why the attack works of the solution]
Question 1
3.2 Task 2: SQL Injection on UPDATE Statements [10 Marks]
In this task, you need to make an unauthorised modification to the database. Your goal is to modify another
user’s profile using SQL injections. In SQLi Lab, if users want to update their profiles, they can click
the Edit Profile link on the navigation bar, and then fill out a form to update the profile information.
After the user sends the update request to the server, an UPDATE SQL statement will be constructed in
unsafe edit backend.php. The objective of this statement is to modify the current user’s profile
information in the credential table. There is a SQL injection vulnerability in this SQL statement.
Please find the vulnerability, and then use it to do the following task:
Please point out the potential vulnerability, and explain how to achieve a SQL Injection attack by
utilizing it. [Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the
explanation]
Question 2
Change another user’s profile without knowing his/her password. For example, if you are logged
in as Alice, your goal is to use the vulnerability to modify Ted’s profile information (at least
three items), including Ted’s password. After the attack, you should be able to log into Ted’s
account. Explain your solution focusing also on how and why the attack works, and provide the
screen shots to support your ideas. Hint: the passwords stored in database are hashed (SHA1). If
you incorrectly modify the user name or password, you can recover by directly accessing the MySQL.
[Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the explanation of solutions]
Question 3
3.3 Task 3: Countermeasure for UPDATE Statements[10 Marks]
Setup Remark: You need to set the read/write permission for the seed user on the current website directory
before doing this task by following the below commands on your terminal. Note that the . is important to
indicate the path to the current directory.
$ cd /var/www/SQLInjection/
$ sudo chmod -R 777 .
3
In this task, you need to enable the prepared statement as a countermeasure against the SQL injection
attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1.
$sql = "SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks:
$stmt = $conn->prepare("SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ? and Password= ?");
$stmt->bind_param("ss", $input_uname, $hashed_pwd);
$stmt->execute();
$stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn,
$phoneNumber, $address, $email, $nickname, $pwd);
$stmt->fetch();
$stmt->close();
Follow the above steps to fix the SQL injection vulnerability of UPDATE statement on the Edit
Profile page. Then, check whether you can still exploit the vulnerability or not. Provide your
code, and briefly explain your solution with screenshots. Hint: the UPDATE statement is located
in unsafe edit backend.php. [Marking scheme: In your report, 5 marks for the screenshot
and 5 marks for the explanation of the solutions]
Question 4
3.4 Task 4: Second order Attacks [25 Marks]
In this task, you need to perform second order attacks to achieve different adversarial goals. Unlike direct
injection flaws that execute injected queries immediately, second order attacks delay the execution until a
later time. This means a malicious user can first inject a query fragment into a query as a trusted source.
Then, the injected SQL will be executed in a secondary query that is vulnerable to SQL injection.
We have extended SQLi Lab to assist you in exploring second order attacks and completing this task.
You need to download all PHP source files of unsafe home.php, unsafe edit frontend.php,
unsafe task load.php, unsafe view order.php, and unsafe tasks view.php from Moo-
dle and place them to the same website’s directory. For instance, you can use the following command to
copy the file unsafe home.php located in /home/seed/Documents to that website’s directory.
$ su root
Password: (enter root password "seedubuntu")
# cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/
4
We also upgraded the database of SQLi Lab to enrich the website’s features. These features are the
following: a user can add tasks, set task sort preference, and view all his/her declared tasks. Note that you
need to download a database script file, script.sql, from Moodle and execute it with MySQL Console
before you can use these new features. For instance, you can follow the following commands to execute that
script when it is stored in /home/seed/Documents. The execution will update your database scheme
and insert new data as follows:
mysql -u root -pseedubuntu
show databases;
use Users;
source /home/seed/Documents/script.sql
• Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks
of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only
existing users in the table credential can create new tasks.
You can use the command describe tasks; to know more information about this table scheme.
• Table preference(PreferenceID,favourite,Owner) records the task sort preference of
users, in which preference(Owner) is a foreign key referring to credential(ID). Existing
users can select one of the task information as their sorting favourite. For instance, a following figure
demonstrates how Alice can set her preference as Hours increasing. You can use the command
describe preference; to know more information about this table scheme.
• Function userIdMaxTasks() returns the ID of an user who has the maximum number of tasks in
your database. In MySQL console, you can use the command select userIdMaxTasks(); to
retrieve that result.
• Function generateRandomUser() adds a new random user (with random Name and Password
to the table credential). In MySQL console, you can use the command select generateRandomUser();
to perform this addition.
• Function getNewestUserId() returns the ID of a newly created user in the table credential.
• Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of
other users to the user having that userID. You need to make sure the user with that userID exists
in the table credential before using this stored procedure. For instance, in MySQL console,
you can use the command call copyTasksToUser(6); to copies all tasks of other users to an
existing user with userID=6.
5
In a normal scenario, a user can add a new task multiple times and update his/her view preference
with sorting by asc or desc. However, the website is vulnerable to the second order attacks when
the user views all tasks. Note that, you will get 0 mark if you complete the task by not performing
second order attack (i.e. manipulate the database manually in MySQL console).
You need to perform a sequence of second order attacks in order to transfer all the tasks of users
to a new malicious user that you created. Note that creating that malicious user also has to be done by
using the second order attack. More specifically you nee to:
• Create malicious user
• Copy tasks of all users to the malicious user
• Delete the tasks from the other users apart from the malicious one
• View the malicious user’s result
[Marking scheme: In your recording, 15 marks only given if you have a solid demonstration
and explanation about how you inject queries and the attack works in your case to achieve that
adversarial goal.]. You also need to provide necessary screenshots in your report as well as a small
explanation of why the attack works. Then, you need to upload your demo video to your Monash
Google Drive and embed its shared link to your report so that the teaching team can view and verify
your works.
Question 5
If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note
that, the second table in the figure displays the malicious user who has the maximum number of tasks. The
first table is blank due to no task remains for Ted user.
6
In this question, you need to perform a second order attack on SQLi Lab to attack the perfor-
mance of your MySQL server.. [Marking scheme: In your recording, 5 marks only given if you
have a solid demonstration and explanation about how you inject queries and the attack works
in your case.]. You also need to provide necessary screenshots in your report as well as a small expla-
nation on how the attack works. Then, you need to upload your demo video to your Monash Google
Drive and embed its shared link to your report so that the teaching team can view and verify your works.
Hint: you can delay the query execution or shut down your MySQL server when an user views his/her
declared tasks.
Question 6
Provide your theoretical mitigation solution against the second order attacks in your previous
question in the report. You do not need to change the PHP source files for this question. [Marking
scheme: 5 marks only given if you have a solid explanation in your report.]
Question 7
4 Cross-Site Scripting (XSS) Attack – Using Elgg [50 Marks]
Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability
makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser.
7
Table 1: User credentials
User UserName Password
Admin admin seedelgg
Alice alice seedalice
Boby boby seedboby
Charlie charlie seedcharlie
Samy samy seedsamy
Using this malicious code, attackers can steal a victim’s credentials, such as session cookies. The access
control policies (i.e., the same origin policy) employed by the browsers to protect those credentials can be
bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale
attacks.
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web applica-
tion named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application
for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To
demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our instal-
lation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post
any arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vul-
nerability by posting some malicious messages to their profiles; users who view these profiles will become
victims.
4.1 Environment Configuration
This lab can only be conducted in the “SeedVM” we provided, because of the configurations that we have
performed to support this lab. In this part, we need three things, are of which are already installed in
the provided VM image: (1) the Firefox web browser, (2) the Apache web server, and (3) the Elgg web
application.
For the browser, you can use the HTTP Header Live extension for Firefox to inspect the HTTP requests
and responses. From the Firefox web browser in the VM, you can download and install this extension.
Alternatively, you can use the Web developers toolset that Firefox provides (for example the Inspector tool
using Ctr+Shift+c keyboard combination, the Console tool and the Network tool).
Elgg Web Application. We use an open-source web application called Elgg in this lab. Elgg is a web-
based social-networking application. It is already set up in the pre-built Ubuntu VM image. We have also
created several user accounts on the Elgg server and the credentials are given in Table 1.
DNS Configuration. We have configured the following URL needed for this lab. The folder where the
web application is installed and the URL to access this web application are described in the following:
URL: http://www.xsslabelgg.com/
Folder: /var/www/XSS/Elgg
The above URL is is only accessible from inside of the virtual machine, because we have modified the
/etc/hosts file to map the domain name of each URL to the virtual machine’s local IP address (127.0.0.1).
You may map any domain name to a particular IP address using /etc/hosts. For example, you can map
8
http://www.example.com to the local IP address by appending the following entry to /etc/hosts:
127.0.0.1 www.example.com
If your web server and browser are running on two different machines, you need to modify /etc/hosts
on the browser’s machine accordingly to map these domain names to the web server’s IP address, not to
127.0.0.1.
Apache configuration. In our pre-built VM image, we used Apache server to host all the web sites used in
the lab. The name-based virtual hosting feature in Apache could be used to host several web sites (or URLs)
on the same machine. A configuration file named 000-default.conf in the directory ”/etc/apache2/sites-
available” contains the necessary directives for the configuration:
Inside the configuration file, each web site has a VirtualHost block that specifies the URL for the web
site and directory in the file system that contains the sources for the web site. The following examples
show how to configure a website with URL http://www.example1.com and another website with URL
http://www.example2.com:

ServerName http://www.example1.com
DocumentRoot /var/www/Example1


ServerName http://www.example2.com
DocumentRoot /var/www/Example2

You may modify the web application by accessing the source in the mentioned directories. For example,
with the above configuration, the web application http://www.example1.com can be changed by modifying
the sources in the /var/www/Example1/ directory. After a change is made to the configuration, the Apache
server needs to be restarted. See the following command:
$ sudo service apache2 start
4.2 Task 1: Posting a Malicious Message to Display an Alert Window [10 Marks]
The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another
user views your profile, the JavaScript program will be executed and an alert window will be displayed. The
following JavaScript program will display an alert window:

If you embed the above JavaScript code in your profile (e.g. in the brief description field), then any user
who views your profile will see the alert window.
In this case, the JavaScript code is short enough to be typed into the brief description field. If you want
to run a long JavaScript, but you are limited by the number of characters you can type in the form, you can
store the JavaScript program in a standalone file, save it with the .js extension, and then refer to it using the
src attribute in the
In the above example, the page will fetch the JavaScript program from http://www.example.com,
which can be any web server.
Try to fetch the JavaScript from a server. Describe your observation, and provide the screen shot
to show the alert.
Hint: You need to setup a server (e.g. www.example.com) and put the above JavaScript there. You
can use the information provided in section 4.1 ”Environment Configuration”. You can modify one
user’s profile (e.g., alice), and view his/her profile by admin. [Marking scheme: In your report, 5
marks for the screenshot and associated description/explanation of the attack. In your recording,
5 marks for the demonstration, and explanation of the solution.]
Question 8
4.3 Task 2: Stealing Cookies from the Victim’s Machine [20 Marks]
The objective of this task is to steal the cookies from the victim’s machine. First, we can embed a JavaScript
program in your Elgg profile (assume that you act as the Samy user), such that when another user views
your profile , the user’s cookies will be displayed in the alert window. This can be done by adding some
additional code to the JavaScript program in the previous task:

The malicious JavaScript code written by the attacker can print out the user’s cookies, but only the user
can see the cookies, not the attacker. In this task, the attacker wants the JavaScript code to send the cookies
to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the
attacker, with the cookies appended to the request.
We can do this by having the malicious JavaScript insert an tag with its src attribute set to the
attacker’s machine. When the JavaScript inserts the tag, the browser tries to load the image from
the URL in the src field; this results in an HTTP GET request sent to the attacker’s machine. The JavaScript
given below sends the cookies to the port 5555 of the attacker’s machine (with IP address 10.1.2.5),
where the attacker has a TCP server listening to the same port.

A commonly used program by attackers is netcat (or nc) , which, if running with the ”-l” option,
becomes a TCP server that listens for a connection on the specified port. This server program basically
prints out whatever is sent by the client and sends to the client whatever is typed by the user running the
server. Type the command below to listen on port 5555:
10
$ nc -l 5555 -v
The ”-l” option is used to specify that nc should listen for an incoming connection rather than initiate
a connection to a remote host. The ”-v” option is used to have nc give more verbose output. The task can
also be done with only one VM instead of two. For one VM, you should replace the attacker’s IP address in
the above script with 127.0.0.1. Start a new terminal and then type the nc command above.
Extend the above attack but capturing apart from the cookie, also the user for whom the cookie
has been issued by the server. Use the TCP server program to detect the fetched cookie and the
associated user. Provide your screenshots and a small description of the attack in your report as
well as video demonstration evidence to support and verify that you have performed the attack
and it worked successfully. You need to upload your demo video to your Monash Google Drive and
embed its shared link to your report so that the teaching team can view and verify your works. Hint:
the IP address in your local host can be set 127.0.0.1. In order to find how to add the username in the
attack url, revisit the week 9 lab specifications [Marking scheme: 5 marks for the screenshots and
the description of the attack in the report, and 5 marks for the demonstration, and explanation
of the solution in the recording]
Question 9
Now that the attacker has the cookie and know the user associated with this cookie, the attacker can try
to send a blog entry impersonating the captured cookie’s user instead of himself/herself. To do that he
writes the blog entry, presses save, captures the appropriate HTTP request and changes in the HTTP
request header the cookie (that originally points to the attacker) to the captured cookie of the previous
attack. Then the attacker re-sends the HTTP request.
Perform this simple attack using as an attacker Samy. You can capture the HTTP request using the
HTTP Header Line and modify the cookie accordingly (the HTTP Header Live allow editing the HTTP
request and also re-sending it). Does the attack work? Provide screenshots and explain your answer
in the report [marking guide: 5 marks for the screenshots and 5 marks for the justification in the
report ]
Question 10
4.4 Task 3: Overflowing the Administrator with requests [20 Marks]
The objective of this task is make one by one all users of the web application to send a message to the
Administrator in favor of Samy. The message could request the Administrator to give Samy high privileges.
The attack should be an appropriate XSS worm.
To achieve this goal, you need to write a malicious JavaScript program that forges HTTP requests di-
rectly from the victim’s browser, without the intervention of the attacker. Initially, you should first find out
how a legitimate user sends messages (specifically to the Administrator) in Elgg. More specifically, we
need to figure out how the HTTP POST request is constructed to send a message. You can use Firefox’s
HTTP inspection tool to get the http POST message and it’s structure. Alternatively, you can use the Web
development tools that Firefox intrinsically has in it (and more specifically the inspector, the console and the
11
network tools). Once you figure out how how the send message HTTP POST request looks like, a JavaScript
program can be written in order to send out the same HTTP request. We provide a skeleton JavaScript code
that may aid in completing the task.

The above code should be placed in the ”About Me” field of Samy’s profile page. This field provides
two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the
text typed into the field, while the Text mode does not. Since we do not want any extra code added to our
attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be
done by clicking on ”Edit HTML”, which can be found at the top right of the ”About Me” text field.
Accomplish the above attack, and provide your screenshots in your report and your video demon-
stration evidence to support and verify that you have performed the attack and it worked suc-
cessfully. You need to upload your demo video to your Monash Google Drive and embed its shared
link to your report so that the teaching team can view and verify your works. Hint: You may use HTTP
inspection tool to see how the HTTP request look like. [Marking scheme: 5 marks for the screen-
shots in the report. 5 marks for the explanation on how and why the attack works in the report.
Also, in the video interview recording: 5 marks for the demonstration of the attack and also 5
marks for showing why and how the solution works in practice]
Question 11
12
Acknowledgement
Parts of this assignment are based on the SEED project (Developing Instructional Laboratories for Computer
SEcurity EDucation) at the website http://www.cis.syr.edu/˜wedu/seed/index.html.
13

欢迎咨询51作业君