Web Attacks
Worth 80 points
Description
Web Attacks
For this project, you will exploit four web based vulnerabilities. They are running on a webserver hosted on netsec-projects.cs.northwestern.edu, port 5000.
You can access it via port forwarding. E.g.,
ssh -L 8080:netsec-projects:5000 username@hamsa.cs.northwestern.edu. It is now available at localhost on port 8080.
Do not run this inside your student container. Run it on your nix OS (VM for windows) (normal shell is fine for macOS) (nix same as macOS)
DO NOT ATTEMPT TO MODIFY THE DATABASE!
This is a great demo of SQL injection, you'll probably find it helpful in doing the project: https://www.youtube.com/watch?v=ciNHn38EyRc
For each exploit, you will find a flag which is associated with your username. To submit your flags, put them in the file called flags.txt, and run the submit script as usual. This file is located inside your student container at /mnt/projects/web-attacks/flags.txt
Here is a little information about each of the vulnerabilities:
Vulnerability 1: This is a SQL injection attack, and we are giving you the most information about this attack. There is a column of flags displayed. One of these is yours. The MySQL table that holds these flags also has a column called
name. The flag you want to submit has your username set in that column. The query being executing is using the LIKE comparison not '='. If you are not familiar with LIKE you should look up the syntax as it will help you write a valid injection. Considering writing down the original query and inserting your text inside of it. Is the query still valid sql? Do all quotes have a match? If not your exploit won't work.Vulnerability 2: This is a more in depth SQL injection attack, and you will have to do more digging to find your flag. Your flag is stored somewhere in the database, but not necessarily in the table that the search bar is intended to search. Union may be helpful here to return columns that the code was not designed to return. You'll need to enumerate the tables in the database and the columns on the those tables. You aren't expected to know how to do this use google!
Hint 1: Remember the name of this project is "webattacks"
Hint 2: You can get all database by running the following command
^$' union select table_schema, '' from information_schema.tables group by table_schema union select '', '
Vulnerability 3: This is a basic session stealing attack using cross-site scripting. In order to have the administrator view the page (so you can steal his cookie), click "Force Admin Login". Having the admin make a post on the forum will be easier it is not recommended that you try to access any server other than netsec-projects in your vulnerability; this also applies to part 4.
Vulnerability 4: This is a similar session stealing attack, except using more advanced cross-site scripting techniques. Note: the report url field has a max length, you will not be notified if you exceed it, keep it brief...
Hint 3: when writing scripts for part 3 and 4, start the script with var Ajax=null; instead of let Ajax=null;
Tips
The user who's session you are trying to steal for each of the last two parts is logging in from behind the firewall, i.e., accesses the site by visiting netsec-projects.cs.northwestern.edu directly, not via localhost and port forwarding like you.
For any XSS you write, it is not recommended that you communicate with any server other than netsec-projects because of potential firewall issues.