home—lects—hws
D2L—breeze (snow day)
hw04
Web Penetration testing
hw04, via Google Gruyere
Due 2014.Oct.10 (Fri.) 23:59
Assignment:
Using Google codelabs » Gruyere » Web Exploits and Defenses site,
practice and defend against some of the key web app expoloits.
Notes:
-
For this exercise, you are highly encouraged to work with a partner.
You will each create an account and log on,
but you can work side-by-side.
-
For each exercise, the deliverable is a screenshot1
of the work completed.
-
Insert all the screenshots into a single pdf file
and submit — do not submit multiple files.
-
Make sure each screenshot is
clearly labeled (e.g. “3.g.ii:”), next to/above the screenshot.
-
Keep the screenshots limited to relevant information —
just the portion of the screen showing your javascript-alert along with
enough background to clearly identify which gruyere page you are on.
(Don't make me get out a magnifying glass to read your screenshot.)
-
The screenshot should include the alert-window you made (if applicable),
along with enough background to confirm which attack you used.
(For example, the attack via snippets would make it clear you were on the snippets-page.)
-
Submit on D2L; no hardcopy needed.
Make sure that your pdf contains your name
(and, if working with a partner, their name)
at the top,
as well as the URL of this homework-assignment.
If working with a partner,
you will each submit a copy of your file on D2L.
-
The bulk of the fun in this project is more about recognizing clever attacks, than coding up countermeasures.
You do not need to fix the vulnerabilities for these attacks,
but you must understand why the fix works,
at the level of whether sanitizing, whitelisting, etc. is causing the problem.
There will be exam questions aimed at understanding both the vulnerability, and the fix.
(The exam questions may ask you to recall one of the exact attacks discussed in this hw.)
If you wish to practice fixing the vulnerabilities you can download the code and run it on your own systems from:
google-gruyere.appspot.com/gruyere-code.zip
(OPTIONAL — no credit)
-
You can read the Hints as well as the solutions, when working on the project.
But to get the most benefit, try to think through the solution after reading the first hint.
If that doesn’t work, read the second hint (if available).
I suggest taking turns with your partner: one of you reading the hints,
and then giving further hints.
-
Pro-tip: when guessing an attack (entering something into a web-form),
copy (control-V) your entry, so that you can start your next guess by pasting
in your previous guess as a starting-point.
Instructions
-
Go to the website: google-gruyere.appspot.com
-
Read the warning.
-
Setup your personal Gruyere web-server:
- Go to google-gruyere.appspot.com/start.
- Write down or bookmark your instance id.
- Click on resume.
- On the top right corner,
click sign up (if first time), or sign in (subsequent times).
- Sign in.
- Read
- google-gruyere.appspot.com/part1
- google-gruyere.appspot.com/part2
- Complete the exercises on the following cross-site scripting (“XSS”) attacks.
- File Upload XSS.
hint:The page says “upload a file that allows you to execute arbitrary script”,
but
it'd be more accurate to say
“Upload a file which, when downloaded,
will cause javascript to run on the client.”.
hint #2:When you ask gruyere for a download,
note how it is delivered.
- Reflected XSS.
Note:I did not need to mess with the --disable-xss-auditor
flag, in my current Chrome.
- Stored XSS
terminology:
The Gruyere server uses the term “snippet” to mean a small bit of
HTML that can be sprinkled in to various places on various pages.
That is, other pages might have code to the effect of
“if the user defined a snippet, then show it right here in the corner”.
It's intended a way to let users add some personal flair to their pages.
hint:
google for “html trigger javascript”, to see how
javascript can be run associated with any html tag.
Note:
In their solution, the 2nd and 3rd attacks did not work for me.
- Stored XSS via HTML Attribute
- Read
google-gruyere.appspot.com/part3,
and then
complete the exercises:
- Elevation of Privilege
- Cookie Manipulation
- XSRF Challenge:
If working with a partner, you will be each other's victims.
If working alone, you'll need to create a second (dummy) gruyere account,
and swap between two browsers, playing both attacker and victim.
- Read
google-gruyere.appspot.com/part4#4__information_disclosure_path_traversal
and then complete that exercise on data tampering via path traversal.
-
Read google-gruyere.appspot.com/part4#4__dos_quit_serve,
and then
complete that exercise on tricking the server into quitting.
1
To make a screenshot:
- Mac: -$ (that is, command-shift-4),
which saves a file to the desktop.
Alternately, you can use:
Preview » File » Take Screenshot » From Selection….
Note that Preview also lets you
annotate pdfs,
as well as
merge pdfs
(save the image as pdf, then view thumbnails, and then drag thumbnails onto each other;
it's a bit awkward).
You can also use Word to annotate and join your screenshots into a single pdf.
-
Windows:
Start » Snipping Tool » New.
You can use Word to annotate and join your screenshots into a single pdf.
↩
home—lects—hws
D2L—breeze (snow day)