Link Search Menu Expand Document
COSC 366 Spring 2024

Table of contents

  1. Assignment 3
    1. Overview
    2. Setup Instructions
      1. Browser
      2. Detailed setup instructions
      3. Docker tips:
      4. Note:
    3. 1. SQL Injection Attack [50 points]
      1. Task 1 & 2: SQL Injection with SELECT: Log in w/o password [10 points]
      2. Task 3 - 5: SQL Injection with UPDATE: Modify VolCoin and password [40 points]
      3. Task #6: Countermeasure [10 points]
    4. 2. XSS and CSRF attacks [40 points + 10 bonus points]
      1. Task #7: Stealing Other Users’ Cookie [20 points]
      2. Task #8: Cross-Site Request Forgery (CSRF) Attack [20 points + 10 bonus points]
    5. 3. Another Attack [5 points]
      1. Task #9: Deposit more VolCoins When Transferring (Not related to SQL Injection attacks) [5 points]

Assignment 3

Due May 3rd, 11:59pm EST

Ground Rules. Work must be typeset (not handwritten and scanned) and submitted by 23:59 of the due date.

Submission. You need to submit a detailed lab report, with screenshots, to describe what you have done and what you have observed. You also need to provide explanations for the observations that are interesting or surprising. Please also list the important code snippets followed by an explanation. Simply attaching code without any explanation will not receive credits.

Overview

In this project, you will conduct several attacks against a web application written in JavaScript (Node.js). Specifically, you will be attacking VolCoin, **a Node.js web application that lets users manage **VolCoin, **a new super-safe cryptocurrency designed for students and staff at the University of Tennessee, Knoxville. They can use the cryptocurrency on the UTK campus. Each user is given 100 **VolCoin when they register for the site. They can transfer the cryptocurrency to other users using the web interface as well as create and view other user profiles.

In the real world, real attackers generally do not have access to the source of a target website, but in this project, you are given the source code for the VolCoin web application, which helps you find the vulnerabilities a bit easier. VolCoin is powered by a collection of Node packages including the Express.js web application framework, a SQLite database, and EJS for HTML templating.

Setup Instructions

You will run the VolCoin web application in a provided Docker container. When the server is running, the site is available at [http://localhost:3000](http://localhost:3000) .

Browser

You are recommended to use the latest version of Chrome, but you may want to test your code in multiple browsers just in case where your current browser enabled the security features that prevent such attacks.

Detailed setup instructions

Your web server will run in a Docker container. The following instructions will walk you through installing Docker and the container.

  1. Install (and run) Docker Community Edition on your local machine. https://www.docker.com/products/docker-desktop Note that I’ve developed and tested the web applications on a Mac. You can use the VM used for the previous programming assignment since in the VM the docker has been already installed. If you want to keep using your Windows machine for the programming assignment and find some troubles, please contact TAs.

  2. Download and extract the programming assignment starter code. COSC366-Web-Security.zip

  3. Navigate to the starter code root directory and run bash build_image.sh. If the file does not have the execute permission, please grant the execute permission by chmod +x build_image.sh. This builds your Docker image and installs all necessary packages. This may take a couple of minutes, depending on your internet speed. A successful should look like the following screenshot.

image

  1. To start the server, run bash start_server.sh. Once you see like the following screenshot, the VolCoin application should be available in your browser at http://localhost:3000

image

  • You can close the server by pressing Ctrl+C in the terminal. The server will completely reset every time that you shut it down. To restart the server with a clean database, just run bash start server.sh once again.

Docker tips:

You don’t need to familiarize yourself with Docker in order to complete this assignment. However, a few tips that may prove useful:

  • docker ps -a lists all of your containers.
  • docker images lists your images.
  • docker system prune -a deletes unused images and containers from your machine. (Do this when you’re done with the assignment if you want to save space!)
  • The scripts build_image.sh and start_server.sh are simply one-line Docker commands to build a Docker image and spin up a temporary container from that image.
  • The only file that is mapped from your local machine to the running Docker container is code/router.js. So if you start modifying other files and the modifications aren’t showing up, don’t worry. You may have to restart your container after modifying code/router.js for changes to take effect. If you decide you must modify another file for some reason, you must rebuild the Docker image to copy your changes into the image.
  • More information is available at https://docs.docker.com

Note:

For each task, you may want to conduct an attack with the original code that you downloaded for this programming assignment.

1. SQL Injection Attack [50 points]

You will develop a series of attacks against the VolCoin web application written in JavaScript (Node.js). Note that you may not use any external libraries nor may you edit the web app itself. In particular, this means you cannot use jQuery. The VolCoin application is preconfigured with accounts for four users. image

Task 1 & 2: SQL Injection with SELECT: Log in w/o password [10 points]

Scenario: The attacker wants to log in to the VolCoin website and to transfer victims’ Volcoins to him/her. He/she can take advantage of the vulnerable login service to log in without a password. Normally, when a user tries to log in, they fill in the username and password fields, and an SQL query is performed to check for the existence of the username and password combination in the database. The website uses the data provided in the “username” and “password” boxes directly to construct the SQL query. If the query returns a match, it means that the username-password combination exists, and VolCoin logs the user in.

image

The login service is implemented in code/router.js. The following SQL query is constructed to authenticate user logins:

SELECT * FROM Users WHERE username == "${req.query.username}" AND password == "${req.query.password}";

If at least one matching record is found, the user will be logged in; otherwise, the login will be unsuccessful.

Tasks: Log into the web app as “alice” without knowing her password. In other words, please exploit the SQL injection vulnerability and log into the app without knowing her password.

  • Task #1 [5 points]: Provide your first attempt to conduct a SQL injection attack. ❗Hint: comment
  • Task #2 [5 points]: Provide your different SQL injection attack that uses another approach. ❗Do not use any comments for this task.

Task 3 - 5: SQL Injection with UPDATE: Modify VolCoin and password [40 points]

If a SQL injection vulnerability happens to an UPDATE statement, the damage will be more severe, because attackers can use the vulnerability to modify databases. Please be aware that due to cache, your adversarial update cannot be affected immediately. So please log out and log in again to see the changed value or directly check the DB table to see the maliciously changed values.

Scenario: Alice wants to increase her VolCoin by exploiting a SQL injection vulnerability.

  • Task #3 [10 points]: Modify your own VolCoin. Please conduct a SQL injection attack with UPDATE statement, which increases her VolCoin.

Scenario: After increasing her own, she wants to punish her boss, Bob since Alice really hates her boss. She wants to reduce his VolCoin to 1.

  • Task #4 [10 points]: Modify other people’s VolCoin. Please demonstrate how you can achieve that.

Scenario: After changing Bob’s salary, she is still disgruntled. So she wants to change Bob’s password to something that you know, and then she can log into his account and do further damage.

  • Task #5 [10 points]: Modify other people’s password. Please demonstrate how you can change Bob’s password by exploiting the SQL injection vulnerability.

Task #6: Countermeasure [10 points]

The fundamental problem of the SQL injection vulnerability is the failure to separate code from data.

  • What’s the most secure way to prevent such SQL injection attacks?
  • If you know the answer, please modify the code of the VolCoin web application to mitigate the SQL injection attacks.

2. XSS and CSRF attacks [40 points + 10 bonus points]

After conducting the above SQL injection attacks and modifying the code of the VolCoin web application to mitigate the SQL injection attacks, you need to roll back to the original code by downloading the programming assignment starter code again. Then please rebuild and restart the web application to conduct the below attacks against the VolCoin web application. Also, note that you may not use any external libraries nor may you edit the web app itself. In particular, this means you cannot use jQuery.

Scenario: The attacker wants to steal other users’ cookie since he/she knows that if she/he obtains other users’ cookie, the attacker can be authenticated as other users. Then the attacker wants to compromise the others’ information or steal their VolCoins.

Task [10 points]: In this task, you will build on your XSS (Cross Site Scripting) attack. So someone views the attacker’s profile, the script you have embedded will send you their (i.e., victims) session cookie automatically. To achieve this, the malicious JavaScript code can send an HTTP request to the attacker with the cookie within the request. We can do this by, for example, having the malicious JavaScript try to load an image with src set to the URL of the attacker’s choice. When the browser tries to load this image, it sends an HTTP GET request to the attacker’s website, with the cookie information attached.

The attacker is running a TCP echo server that simply prints out each request it receives. The TCP server program is included in the starter files for this programming assignment. To run the echo server, simply cd into the echoserver/ directory and run make. This will compile the program and create an executable file named echoserv. The command will run the echo server on port 5555. It will hang until killed via Ctrl + C and will print anything that is sent to [localhost:5555](http://localhost:5555).

./echoserv 5555

image

Like the above screenshot, you will see it when the program is successfully running.

So what you are supposed to do is that …

  1. Embed your malicious javascript code in the Attacker’s profile that sends the victim’s cookie to the attacker’s server (i.e., echoserv ).
  2. When Alice (i.e., victim) logs in to the application and looks for the attacker’s profile, Alice’s cookie will be sent to the echoserv server like the below screenshot.

image

image

For example, the echoserv serve will print Alice’s cookie, which means that the attacker now can obtain Alice’s cookie. Please compare real Alice’s cookie with the cookie received on echoserv using the Firefox extension (called Cookie-Editor) like the below screenshot. Or you may want to check Alice’s cookie value in the inspection mode of your browser (Chrome or FF).

image

Task #8: Cross-Site Request Forgery (CSRF) Attack [20 points + 10 bonus points]

Scenario: You (username = attacker) want to steal others’ VolCoins in the web application. First, you want to build a malicious website and send the link of the malicious website to victims (for example Alice) over a phishing email. In this attack, you will conduct a Cross-Site Request Forgery (CSRF) attack that steals VolCoins from another user to the attacker. Assume that you are the attacker. Specifically, you need to build a malicious website that transfers (i.e., steals) 20 VolCoins from their account to the attacker’s account when the victim visits the malicious website. Note that the attack can be successfully conducted only when the victim user is already logged in.

Task [20 points]: You don’t need to build a malicious website. Rather, you need to write an HTML code in an HTML file that transfers 20 VolCoins from alice to your account attacker. Please enable the pop-ups and redirections option in your Chrome browser for this task if necessary like the below screenshot.

image

Bonus points [10 points]: As soon as the transfer is complete, your attack site should immediately redirect the victim to https://eecs.utk.edu/. This should happen fast enough that normal users won’t notice.

3. Another Attack [5 points]

image

Scenario: The attacker finds a bug in the VolCoin transfer feature that enables him/her to obtain more VolCoins even though he/she successfully transfers his/her VolCoins to others using the above web page: http://localhost:3000/transfer

Task [5 points]: Find a bug that enables the attacker to gain more VolCoins even after he/she successfully transfers his/her VolCoins to others. Note that this vulnerability is not related to the SQL injection attacks