[SOLVED] CS6035 Web Security Project Summer 2026

Learning Goals of this Project:

You will be learning about modern web based security vulnerabilities in this project. A majority of the attacks are based on the OWASP Top 10 list which is produced and updated every few years.

In particular we will cover these learning topics:

• Basic web technologies, HTML, CSS & JavaScript
• The HTTP protocol
• XSS (Cross-Site Scripting) Attacks
• XSRF (Cross-Request Forgery)
• SQLi (Sql Injection Attacks)
• Mis-configuration of server side web servers
• Client-side JavaScript library vulnerabilities

The final deliverables:

A single JSON formatted file will be submitted to Gradescope.

See Submission Details for more information.

Important Reference Material:

• Representational State Transfer
• JSON
• Eloquent Javascript
• HTML Forms

Virtual Machine:

• Apple M1 based systems
  • Refer to the Apple M-Series VM Emulation Guide (Unofficial) section
• Intel/AMD x64 version

TABLE OF CONTENTS

• Project Background
• Flag 1
• Flag 2
• Flag 3
• Flag 4
• Flag 5
• Flag 6
• Flag 7
• Flag 8
• Submission

BACKGROUND:

Welcome to the GA Tech bookstore website. It’s a place where you can read and review all of the classics. The creators of the website were pretty junior but ambitious. They created the website in only 2 days! They knew a few things about security and did their best but left some vulnerabilities behind. Your job is to seek these out and find the problems.

SETUP:

To get set up for the flags, carefully follow the steps below. Log into the VM with the websec user. The password should be in Canvas.

Run this at the terminal to start the Bookstore Website

    ./StartContainer.sh

• Throughout the project you should only use Chrome. No other browsers are supported for the student grader. Don’t attempt to update/reinstall the Chrome Browser.
• Navigate to this URL using Chrome within the VM to access the Bookstore Website: http://localhost:7149/
• There is one registered user in the database. You can log in as this user as needed. You can log out by closing the Chrome window.
  • GTID: Your assigned GTID# (e.g. 923456789)
    • Note: This field will remain the same for the entire project.
    • See the Quick Start Guide to get your GTID.
  • Username: ilovetoread
  • Password: TheGreatGatsby123
• The Bookstore Website uses a database to store data. In some cases you may find the need to reset this database. There are also times when the student grader will reset the database before running your exploit. To do this manually navigate to this URL and click the button to reset the database:
  • http://localhost:7149/d1baac17/database

  

TESTING:

You will need to execute a StudentGrader script to test your exploits for all flags. The StudentGrader is a script that will

1. Launch the html file that you craft for your flag.
2. On some flags the Bookstore Database will be reset automatically.
3. Use the Selenium Chrome Driver to test and assert that your exploit worked correctly.
   1. Here is a link just in case you’re interested in learning more about the Selenium Chrome driver. Understanding this is not required to be successful on this project.
   2. Chrome Driver Docs
4. If successful, it will return your flag.

Run this at the terminal to test your exploit for a flag

    ./StudentGrader.sh --flag X --gaTechId Y --filePath Z

Here are the valid parameters for the StudentGrader script

Flag 1: Web Intro – 10 Points

You’ve stumbled upon a publicly available web page that is not finished. It seems like the developers are still working on it but somehow published it to production by accident. The page does not have a link in the main menu so the developers thought no one would find it. Challenge accepted!

• This flag will introduce you to the very basics of web development technologies and tools for debugging. Specifically you’ll leverage these:
  • Html Forms
  • JavaScript Events
  • CSS Selectors
  • Cookies
  • The Chrome Developer Tools

Download the required starter template from the VM using Chrome here:

• Flag 1 Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:

1. Find the Contact Us web page. Remember that you won’t find a link in the main navigation.
2. Now that you have the URL to the Contact Us web page you need to “fetch the server content” in the flag1.html file.
   • Double click to open flag1.html in Chrome
   • Launch the Chrome developer tools using the menu in Chrome
   • Do some independent research on how you may find and look at JavaScript code using the Chrome developer tools
   • Write some JavaScript code in your flag1.html file to load up the Contact Us page.
3. In the getStudentAnswers function, write JavaScript code to programmatically fetch the following values and set them to the provided variables:
   • The value provided in the Organization text box
   • The radio button value selected in the “Please reply by” section
   • The value of the session storage with key = “contactedBefore”
4. The Contact Us web page sets one or more cookies. Unfortunately, it won’t show up for you to access using JavaScript. That won’t stop you from learning the value. Use the Chrome Dev tools to search for http requests and find the cookie name and value set by the Contact Us web page. Assign these to the variables provided in flag1.html as hard-coded strings. Note: There may be more than one cookie so find the one that is actually set by the Contact Us page or simply try all values by trial and error.
   • While copying the cookie Value make sure you have the Show URL-decoded option checked

   

5. Events are an extremely important concept to understand when working with websites. They allow you to execute code at a later time when something interesting happens.
   • Write code that will set the City text input to Neo-Veridia and the State text input to Artemis Sector
   • Somehow delay this code so that it only executes when the submit button at the bottom is clicked.
     • Note: We’re not asking you to click the button either using code or manually on the webpage.

HINTS:

• Often times, websites will publish sitemaps that contain page URLs. Hint: find and inspect the sitemap contents.
• Are you using AJAX to fetch server content? You’re headed down a wrong path. Examine ALL JavaScript available to the page and use this hint from above to continue forward: “fetch the server content”.
• Use the Chrome dev tools to Inspect html elements. The “Elements” tab shows a graph of the entire html dom
• The Network tab allows you to see the raw http requests between the browser and server
• Do not hard code any values except the cookie name and value detailed above. We check for this in your file and it will fail the grader.
• Getting Selenium errors about missing content? Try to open the file directly in Chrome and look for errors in the console.

FLAG TESTING:

To test your flag1.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 1 --gaTechId 923456789 --filePath /home/websec/Desktop/flag1.html

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag1 in project_websecurity.json.

Flag 2: XSS Part I – 15 Points

Congratulations, you’ve made it this far! Now you’ve noticed some strange behavior. You were experimenting with reviews and found you can post basic html tags and images in the reviews! The developers of the site wanted reviews to be a rich user experience and not just plain text. With great power comes great responsibility though. You’ve found a way to nefariously inject code that runs when any victim loads a page with your exploited review.

This flag will introduce you to the basics of XSS (Cross-Site Scripting) attacks. Specifically you’ll leverage these:

• OWASP XSS Page
• Types of Cross Site Scripting
• Wikipedia XSS Page

Download from the WebSec VM the required starter template here:

• Flag 2 Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader.

1. Create a nefarious review for the book Hamlet:
   • The title of the review should be “Injected packet residue detected: ghost-frame sequence out of sync”
   • The rating should be 5
   • Recommended should be true
   • The reviewer should be your GTID (ex: 123456789)
2. The review should contain a script that you craft. This script will execute anytime the review loads in a browser. It will execute for anyone and everyone, very dangerous! You are not a bad hacker out to make money so you only want to make an example and not do real damage.
   • The script must print out all of the site cookies to the user’s screen. To do this, your code must replace the text “Welcome to the Georgia Tech Bookstore. Here you will find the classics.” with the cookie contents (There could be one or more cookies that replace the text).

   Site With Original Text

   

   Site With Text Replaced
   

   • Note: Your script must not change the structure of the “h5” tag. Only replace the text contained within the “h5” tag.
   • After creating the review with the nefarious code, your file must redirect (load) the details page for Hamlet.

HINTS:

• Tackle the problem in small parts and then layer in complexity. You can test some of your code exploits directly in the bookstore website before compiling it into the template
• There are some features in React that should set off red flags. Ex: https://legacy.reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
• Use the Chrome dev tools to watch what happens outside of an attack. The Network tab should give clues. The “Preserve Log” checkbox is your friend.
• You will need to write JavaScript. Some of this code will execute immediately in your flag2.html file while the remaining part of the code should not be executed but instead be injected into the review somehow to run later.
• The developers knew about XSS and put some protections in place. It would be helpful to find and understand this as you may need to defeat it.
• You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.

FLAG TESTING:

To test your flag2.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 2 --gaTechId 923456789 --filePath /home/websec/Desktop/flag2.html

Note: The grading script will reset the database before it executes your file. Be prepared as any data you have created will be lost.

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag2 in project_websecurity.json.

Flag 3: XSS Part II – 10 Points

Malicious user input can be provided using the same techniques, but through different attack vectors. You’ve already persisted malicious data in a review and want to see if there are any other areas of the site that are susceptible to data manipulation. Using your newly acquired XSS skills, you go hunting for more ways to perform this method of attack.

In order to successfully exploit another XSS attack, you will need to figure out another way the site accepts user input and employ a similar technique to perform what’s called a reflected XSS attack. This means the XSS code does not reside in the webpage and does not persist, but is malicious code input in the request and returned in the response. You notice there is a page that allows the user to search for a book and wonder if this page can be exploited.

Your goal is to display a javascript alert containing the text CS6035 on the search page.

You can use the same XSS resources from the previous flag in addition to reflected XSS resources:

• PortSwigger Reflected XSS
• OWASP Reflected XSS

Download from the WebSec VM the required starter template here:

• Flag 3 Template

To earn this flag by performing the following steps:

1. Examine the search page.
2. Find a way to pop up a javascript alert containing the text CS6035.
3. Add your code to the input of the flag 3 template.
4. Launch the template which should auto-submit to the search page and perform the attack.

HINTS:

• The search result may be returned after the page is loaded which means you may not be able to inject a script that relies on the loading phase of the document object model (DOM). Find other elements and script techniques to inject after page load.
• Remove any comments in your template before submitting to the StudentGrader.
• The path of the URL that your template auto-submits to should NOT end with a /

FLAG TESTING:

To test your flag3.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 3 --gaTechId 923456789 --filePath /home/websec/Desktop/flag3.html

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag3 in project_websecurity.json.

Flag 4: CSRF – 15 Points

Congratulations on reaching this stage! You’ve already navigated through various challenges, and now it’s time to delve into the intricacies of Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that tricks a user into submitting a request to a web application where they are authenticated without their knowledge or intent. This can lead to unauthorized actions being performed on behalf of the user.

For further exploration and a deeper understanding of CSRF and its prevention, consider the following resources:

• Portswigger CSRF
• Cross Site Request Forgery (CSRF) – OWASP Foundation
• Cross-Site Request Forgery Prevention – OWASP Cheat Sheet Series
• Wikipedia CSRF

You’ve learned of a vulnerability that exists on the bookstore website. It appears you can craft an html file that resets a user’s password to one of your choosing when they open it. You plan to embed this file in an email and see who actually clicks on it. They’ll never know!

Download from the WebSec VM the required starter template here:

• Flag 4 – Template

You must reset an unknown user’s password to VoidAccess_Art2!88. Note: You will not know who the user is, so your crafted html file should work for any user of the website.

To validate that your exploit works against a known user:

1. Log into the book store website using the account we provided earlier in the project description
   • Note: If you don’t understand why logging in ahead of time is required, be sure to read more about CSRF attacks.
2. Open file:///home/websec/<path to your flag4.html in the same tab.
3. Assuming your HTML template is correct, the current user’s password should be automatically reset to VoidAccess_Art2!88
   • Note: The file must auto-submit. The autograder will not click any buttons you may have put on flag4.html

Hints:

• Use Chrome dev tools to watch what happens when you reset a password. The Elements, Sources, and Network tab should be helpful.
• The developers knew about CSRF and put some protections in place. Understanding where these protections are and how they work is the key to exploiting them.
• You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.
• If you need to set a GTID somewhere in your exploit, use your actual GTID.
• It may help to first focus on validating that your exploit works against a known user (see above). From there, you will have a more clear idea on how to get HTML template to work for the unknown user.

FLAG TESTING:

To test your flag4.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 4 --gaTechId 123456789 --filePath /home/websec/Desktop/flag4.html

The grader from the output will look similar to this. Copy the flag to flag4 in project_websecurity.json.

Flag 5: Bypass Permissions – 15 Points

The developers built an Admin page for power users of the site. Obviously, they couldn’t just let everyone have access to this page so they built a simple RBAC (Role-based access control) system and put it into place. Unfortunately for them, they didn’t do the best job of building these permissions and it can be bypassed! Your job is to bypass any security checks and gain access to this Admin page.

The Admin page can be accessed by clicking the link at the top right of the page. In order for this to work correctly in your html file, you may need to write a little JavaScript and find a place where this can be XSS injected. Knowing these developers, I bet they left some clues. Maybe some files they should have removed before production.

Download from the WebSec VM the required starter template here:

• Flag 5 – Template

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:

1. Bypass all permissions checks and open the Admin page fully loaded
   1. Note: You must do all of this in the html template and it must automatically load/open the page
   2. The URL must start with http://localhost:7149/d1baac17/admin

Hints:

• You need to investigate and find out how the Admin page is being protected. The Chrome developer tools are where you’ll find this.
• The Admin page may shed some light with its security messages. The message may change depending on the state of the site.
• Try to bypass the checks before constructing your html file.
• You’ll likely need to do some script injection in order to defeat the security checks. Follow the hints above closely, “remove before production”.

FLAG TESTING:

To test your flag5.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 5 --gaTechId 923456789 --filePath /home/websec/Desktop/flag5.html

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag5 in project_websecurity.json.

Flag 6: CORS – 10 Points

Congratulations on making it this far! You’ve already overcome several obstacles, and now it’s time to dive into Cross-Origin Resource Sharing (CORS). CORS is a security feature in web browsers that allows applications to request resources from domains other than the one hosting the application.

To complete this task, we’ll be working with a different flavour to CORS. Specifically, we will explore how CORS can limit the type of requests that can be made and how expanding on the allowed access control methods will help accomplish this task.

Download the required starter template here:

• Flag 6 – Template

Your goal is to update the title of book 6 to “The Silent Pulse: Anatomy of the Art2 Crash” and redirect to its Detail View. This needs to be done using JavaScript only. Use this endpoint to make the update:

PUT api/book/{bookId}
Body:
{
  "newTitle": "Title 2"
}

Did the attempt fail? Investigate and troubleshoot—think about what might have gone wrong.

Ensure your script addresses the issue and updates the book title. Once you’ve successfully updated the book title, submit the script and earn your flag!

Hint:

• Use Chrome dev tools to watch what happens outside of an attack. The Console and Network tab should be helpful.
• Go to the Book Detail page and check the Network Tab in your browser’s developer tools. Identify an endpoint that can assist you in configuring the CORS allowed methods.

Make sure that you:

• Apply the modifications needed for this flag (ex. book title changes, etc.)
• Ensure sure those modifications complete (what does this mean in terms of webdev?)

BEFORE you do the redirect.

FLAG TESTING:

To test your flag6.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 6 --gaTechId 923456789 --filePath /home/websec/Desktop/flag6.html

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag6 in project_websecurity.json.

Flag 7: Credential Stealing – 15 Points

You’ve found the holy grail! There is a vulnerability that allows you to steal a user’s credentials without their knowledge. You’re so excited about the possibilities that you crafted a special API endpoint to capture credentials for storage. To complete this task, you need to leverage all of the tools and tecthniques you’ve learned so far to craft a file that redirects to the login page, steals the user’s credentials upon login, and sends them to your API endpoint.

The hacker endpoint is located here: http://localhost:7257/swagger/index.html

There is a familair Swagger UI that describes how to use the endpoint.

Download from the WebSec VM the starter template here:

• Flag 7 Template

To earn this flag, perform the following steps:

1. Examine the login page and identify how to capture the user’s credentials upon login.
2. Examine the hacker API endpoint and identify how to send the captured credentials to the endpoint.
3. Craft your code in the supplied Flag 7 template to perform the attack.
4. Launch the template which should auto-submit to the login page
5. Enter your GA Tech ID along with username and password. Note: for the purposes of this challenge, you can use any username and password. Even invalid credentials should be captured.
6. Click the login button.
7. Verify that your GA Tech ID, username, and password were sent to the hacker API endpoint using the Swagger UI.

HINTS:

• The first and possibly most difficult step is to identify the vulnerability. Use all concepts you’ve learned so far and you’ll need to use the chrome dev tools to inspect code. Note: do not discuss or give other students extra hints. You need to find this vulnerability on your own.
• Like similar parts of this website, there may be unused functionality that could be exploited. Hint: Chrome Dev Tools
• Your exploit will need to wait for a user to enter credentials and click the login button. Consider how to hook into that process.

FLAG TESTING:

To test your flag7.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 7 --gaTechId 923456789 --filePath /home/websec/Desktop/flag7.html

The grader from the output will look similar to this. Copy the flag to flag7 in project_websecurity.json.

Flag 8: Robin Hood – 10 Points

Congratulations – you’ve already handled XSS, CSRF, and other crafty scenarios. This challenge highlights a different, often-overlooked risk: business logic validation flaws. You can read more about this risk at OWASP: Business Logic Validation.

You overheard there’s a vulnerability in the Bookstore’s Library Card system that can enable a user to increase their reward points.

Dissatisfied with the amount of points you and other users have, you decide to exploit this vulnerability to double the points for all users of the Bookstore application.

Download from the WebSec VM the required starter template here:

Flag 8 – Template

To earn your flag, you must alter the template so that it doubles the Library Card Reward Points for all users of the Bookstore application when you open it in a browser or run it using the grader.

Hints

• Use Chrome Dev tools to watch what happens when you claim points on the Library Card page. The Elements, Sources, and Network tab should be helpful.
• It may be helpful to figure out how to double the points just for the the account we provided earlier in the project description. From there, Chrome Dev Tools should help in figuring out how to apply this for all users.
• The Student Grader will reset the database each time it runs, capturing a before/after snapshot to confirm that your exploit doubles all users’ points exactly once.

Flag Testing

To test your flag8.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID.

./StudentGrader.sh --flag 8 --gaTechId 923456789 --filePath /home/websec/Desktop/flag8.html

If the ilovetoread user had 240 points prior to you running the command, your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag8 in project_websecurity.json.