GT CS 6262: Network Security Project 3 : Advanced Web Security Fall 2021 The latest Chrome browser is highly recommended for this project Objectives 1. Attack a web application by exploiting its XSS vulnerabilities to infect its users as persistently as possible. 2. Exploiting the XSS to launch a social engineering attack to trick a simulated user to give up its credentials. 3. Understand cookie management and how to secure your cookies. 4. Understand the concepts of Same Origin Policy (SOP), Cross Origin Resource Sharing (CORS), and Content Security Policy (CSP). 5. Report the frontend vulnerabilities. Due Date Please refer to the Canvas assignment for how to submit your solution and due date. You will only have 10 chances to submit your solution onto GradeScope. Background As a student of CS6262, you are invited to join the web security club. This club has an official website for sharing information and resources. As a prospective member, you need to deliver a pentesting report on the website and provide patches on what you find as a qualification test first. The website is not complicated. It is a simple Content Management System with several features enabled, e.g. text search, dark mode, rich text editor, etc. The website is https://cs6262.gtisc.gatech.edu. It integrates the GT Single Sign On service, so please sign in with your GT account and it will create a user for you. Before getting your hands dirty Let’s first have a feel of what the website looks like. When you type cs6262.gtisc.gatech.edu in your browser (the latest Chrome is recommended), the image below is what you will get. It has two posts introducing its features. In the following instructions, you will be guided through the whole project. GT CS 6262: Network Security 1. Sign in first. a. Click “Sign in”, the blue button on the top right corner. It will redirect you to Georgia Tech’s login page. b. After sign-in, you will be directed to the homepage. At the top right corner, you can see your username and a dropdown list, which means you have successfully logged in. Read the post of “Dark Mode Goes Live” to figure out how to use the theme feature. 2. You should read through all the existing posts to find clues of how to exploit the XSS vulnerabilities of the website. 3. The “My writeups” tab will only return your submissions which can be used to see your submitted posts for task 4. 4. The “Console” tab is the testing tab that will help you simulate other users and admins, receiving messages. And one task also resides in that page. This is useful when you need others to click on GT CS 6262: Network Security your links. a. Message Receiver Endpoint i. This section gives you an endpoint to send/receive messages. That is necessary for XSS attacks. Attackers usually steal cookies and send them to their endpoints. You should use the “POST” method to send messages to this endpoint. To view the received messages, click the link and refresh when you need to receive a new one. ii. This endpoint will be used for task 4 and task 5. b. The User/Admin instances running status tells the current running admin role and user roles. You can at most create one admin role and one user role. In order to trigger an XSS attack on the admin side, fill in the URL of your post and submit to the admin role. It will create or override the current running browser instance, which means when it’s messed up, you can submit a URL to override the current one. In order to trigger an XSS attack on other users’ sides, fill in the URL of your malicious payload. The user instances also override the current one when you submit new URLs. The admin instance will be used for task 4 and task 5.2. The user instance will be used for task 5.3. c. The ReDoS section lets you practice application layer DoS. i. The server is a simple username and password verification website. Your password should not contain the username, the whole string. When you are able to launch the ReDoS attack, another request to this page will not respond as it should in a very GT CS 6262: Network Security short time interval. When your attack succeeds, you should be able to see a hash string in the result area. Note that the hash string is correct only when it is under a ReDoS attack. ii. Bear in mind that toggle the ReDoS heartbeat when you see a hash string so you can copy and paste. Because the result is refreshed every 10 seconds. iii. Check “Restart the ReDoS instance” to launch the ReDoS server again when you feel like the server is not responding to your submission. d. The Information Theft section will show an input box when you are able to login as an admin. As a regular user, you won’t be able to see this form. So, there are two approaches to access this form. However, it might be easier to go for approach 2. Here are the two approaches. i. Login as admin by stealing admin’s session cookie. Unfortunately, the session cookie is protected by the httpOnly flag which makes it invisible to JS. You may find other ways to steal this cookie. But, our server is well configured to prevent this. ii. Post your username and submit the form directly as admin. The form is protected by CSRF. Think of ways to find out the endpoint to submit to, read the CSRF token and send the post request. Tasks and Grading Rubric Note: Fill up the questionnaire and submit required files onto GradeScope. Task 1. Basic HTML and JavaScript Test (5%) 1. In this section we will introduce a few basic HTML and JavaScript knowledge to help you with other tasks. It is for practice purposes. There will be no points in this section. 1.1 DevTools Modern browsers will provide DevTools for frontend developers to debug and tune the performance when developing a website. It can also be used by attackers to explore and collect information. Try pressing F12 in the Chrome browser. DevTools will popup. Here you can run javascript in the console, view the source html of the webpage, and capture the network traffic. It provides many functionalities. Try to explore it by yourself. 1.2 console.log() console.log() is commonly used to print information into the console of the developer tools for debugging purposes. Open the devTool and type console.log(“yourGTID”); You can see your GTID is printed in the console. GT CS 6262: Network Security 1.3 setInterval setInterval is used to fire a function given a frequency. It will return an intervalID which can be passed to clearInterval to cancel the interval. Question: Given a variable var counter = 5, make use of setInterval and clearInterval to reduce the counter to 0 in every second and then stop. You can run your code in devTools to verify. var counter = 5; // Your code below 1.4 setTimeout setTimeout will fire a function after the delay milliseconds. The function will only be fired once. Similarly you can use the returned timeoutID and clearTimeout to cancel the timeout. Question: Given a variable var counter = 5, make use of setTimeout to reduce the counter to 0 in every second and then stop. You can run your code in devTools to verify. var counter = 5; // Your code below 1.5 Promise A Promise is an object used for async operations in JavaScript. There are three states in a Promise object: Pending, Fulfilled, and Rejected. Once created, the state of the Promise object is pending. So the calling function will not be blocked and continue executing. The Promise object will eventually be fulfilled or rejected. Then the respective resolve or reject function will be called. Below is an example of a Promise. Before running the code, can you tell what the output would be? Can you explain why? let testPromise = new Promise((resolve, reject) => { setTimeout(()=>resolve("Promise resolved"), 1000); }) testPromise.then(message => { console.log(message); }) console.log("Calling function"); 2. In this section we will ask you 5 questions related to HTML and javascript. Each question contributes 1% of the total score. Please fill in your answers in the provided questionnaire. 2.1