Assignment: Cross-site scripting (XSS) Attacks
Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim's web browser.
Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what SamyKamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.
Environment setup for the problem:
For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under "Special Software Installation Requirements".
We will need the following:
• Firefox web browser
• Apache web server
• Elgg web application
For the Firefox browser, we need to use the LiveHTTPHeaders extensionfor Firefox to inspect the HTTP requests and responses (available under the "Tools" menu in Firefox).The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension.
The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:
% sudo apache2ctl start
or
% sudo service apache2 start
The Elgg web application is already set up in the pre-built UbuntuVM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password):
admin, seedelgg
alice, seedalice
boby, seedboby
charlie, seedcharlie
samy, seedsamy
You can access the Elgg server using the following URL (the Apache server needs to be started first):
Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window.
Note:Some of the project tasks require some basic familiarity with JavaScript. Wherever necessary, we provide a sample JavaScript program to help you get started.
vi. Writing an XSS Worm
In this and next task, we will perform an attack similar to what Samy did to MySpace in 2005 (i.e., the Samy Worm). First, we will write an XSS worm that does not self-propagate; in the next task, we will make it self-propagating. From the previous task, we have learned how to steal the cookies from the victim.
In this task, we need to write a malicious JavaScript to forge a HTTP requestdirectly from the victim's browser. This attack does not require the intervention from the attacker. TheJavaScript that can achieve this is called a cross-site scripting worm.
This task consists of two independent sub-tasks.
Subtask: XSS Worm that adds a friend
The objective of the attack in this subtask is to modify the victim's profile and add Samy asa friend of the victim.To add a friend for the victim, we should first find out how a legitimate user adds a friend in Elgg.
More specifically, we need to figure out what is sent to the server when a user adds a friend. Firefox's LiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sentfrom the browser. From this, we can identify all the parameters in the request.
There are two common types of HTTP requests, one is HTTP GET request, and the other is HTTP POSTrequest. These two types of HTTP requests differ in how they send the contents of the request to the server. We can use the JavaScript XMLHttpRequestobject to send HTTP GET and POST requests to web applications. XMLHttpRequest can only sendHTTP requests back to the server, instead of other computers, because the same-origin policy is strongly enforced for XMLHttpRequest. This is not an issue for us, because we do want to use XMLHttpRequestto send a forged HTTP request back to the Elgg server.
To learn how to use XMLHttpRequest,you can study these documents.
If you are not familiar with JavaScript programming, we suggest that you study the following documents to learn some basic JavaScript functions. You will have to use some of these functions.
Essential Javascript - A Javascript Tutorial:
You may also need to debug your JavaScript code. Firebug is a Firefox extension that helps you debugJavaScript code. It can point you to the precise places that contain errors. FireBug is already installed in Firefox in our pre-built UbuntuVM image (available under the "Tools" menu in Firefox).
For this subtask, the wormprogram should do the following:
1. Create the correct request to add Samy to the friends list of the user who is executing the malicious code
2. Forge a HTTP GET request to add Samy as a friend.
Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically addSamy as their friend. You need to fill inall the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters.
Note that in this case the GET method is used to send the HTTP request.
To modify the victim's profile, the HTTP request sentby theworm should contain the victim's__elgg_ts and __elgg_token values in the sendurl variable. These details arepresent in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code. The sendurl variable should also contain Samy's id.
What you need to do:
1. Based on the format of the GET request to add a friend, write a JavaScript script that adds Samy to the friends list of any user who views Samy's profile. Save your JavaScript script in a file task4-1.txt.
2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-1.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting)
3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Samy will be added to Alice's friend list.
4. Include in your project document:
a. a screen printout with Alice's friends list after viewing Samy's profile.
b. a printout of your JavaScript file task4-1.txt.
5. Include the filetask4-1.txt in a ZIP archive.
Subtask - XSS Worm that changes the victim's profile
The objective of the attack in this subtask is to modify the victim's profile "About me" field to show the text "Samy is my HERO".To do this, we should first find out how a legitimate profile change looks like in Elgg. More specifically, we need to figure out what is sent to the server when a user changes the "About me" field and saves her profile. Firefox'sLiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sentfrom the browser. From this, we can identify all the needed data in the request.
For this subtask, the worm program should do the following:
1. Create the correct request to add a certain piece of text into the profile of a user (the victim) who is viewing Samy's profile
2. Forge a HTTP POST request to change the profile of the victim user.
Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically have their "About me" profile field changed to a certain piece of text. You need to fill inall the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters.
Note that in this case the POST method is used to send the HTTP request.
To modify the victim's profile, the HTTP request sentby the worm should contain certain information about the victim in the HTML body of the request (which is sent via the content variable):
• The__elgg_ts and __elgg_token values arepresent in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code.
• The victim's user name can be obtained using elgg.session.user.name
• The victim's id (guid) can be obtained using elgg.session.user.guid
Important note: Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile.
What you need to do:
1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views Samy's profile. The "About me" field should contain the following text:
Samy is my HERO (added by
Save your JavaScript script in a file task4-2.txt.
2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-2.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting)
3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be changed.
4. Include in your project document:
a. a screen printout with Alice's profile after viewing Samy's profile.
b. a printout of your JavaScript filetask4-2.txt.
5. Include the filetask4-2.txtin a ZIP archive.
v. Writing a Self-Propagating XSS Worm
To become a real worm, the malicious JavaScript program should be able to propagate itself. Namely,whenever some people view an infected profile, not only will their profiles be modified, the worm will alsobe propagated to their profiles, further affecting others who view these newly infected profiles. This way,the more people view the infected profiles, the faster the worm can propagate. This is exactly the samemechanism used by the Samy Worm: within just 20 hours of its October 4, 2005 release, over one millionusers were affected, making Samy one of the fastest spreading viruses of all time. The JavaScript code thatcan achieve this is called a self-propagating cross-site scripting worm. In this task, you need to implementsuch a worm, which infects the victim's profile.
To achieve self-propagation, when the malicious JavaScript modifies the victim's profile, it should copy itself to the victim's profile.If the entire JavaScript program (i.e., the worm) is embedded in the infected profile, to propagate the worm to another profile, the worm code can use DOM APIs to retrieve a copy of itself from the web page. An example of using DOM APIs is given below. This code gets a copy of itself, and display it in an alert window:
URL Encoding: All messages transmitted using HTTP over the Internet use URL Encoding, whichconverts all non-ASCII characters such as space to special code under the URL encoding scheme. In the worm code, messages sent to Elgg should be encoded using URL encoding.The escape function can be used to URL encode a string. An example of using the encode functionis given below.
Under the URL encoding scheme, the "+" symbol is used to denote space. In JavaScript programs, "+"is used for both arithmetic operations and string concatenation operations. To avoid this ambiguity,you may use the concat function for string concatenation, and avoid using addition. For the wormcode in the exercise, you don't have to use additions. If you do have to add a number (e.g a+5), youcan use subtraction (e.g a-(-5)).
Other notes:
• To modify the victim's profile, the HTTP request sent by the worm should contain the following information in the HTML body of the request (which is sent via the content variable):
&accesslevel%5Bdescription%5D=2
(in fact, using the LiveHTTPHeaders extension, you can see this is included in a regular edit profile request)
• Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile.
What you need to do:
1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views an infected profile. The "About me" field should contain the following text:
Samy is my HERO (added by )
Save your JavaScript script in a file task5.txt.
2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task5.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting)
3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be infected as well.
4. Logout and login as user Boby, and then view Alice's profile by selecting user Alice from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Boby'sprofile will be infected as well.
5. Include in your project document:
a. a screen printout with Alice's profile after viewing Samy's profile.
b. a screen printout with Boby's profile after viewing Alice's profile.
c. A printout of your JavaScript filetask5.txt.
6. Include the filetask5.txtin a ZIP archive.
Format your assignment according to the following formatting requirements:
1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.
2. The response also include a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.
3. Also Include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.
Attachment:- CrossSite.rar