[SOLVED] CS6035 Web Security

65.00 $

Category: Tags: , , ,
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon P04-eugzmy.zip (5 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
🔒 Securely Powered by:
Secure Checkout
5/5 - (5 votes)

2026 SPRING WEBSECURITY SOLUTION CLICK HERE

2025 FALL WEBSECURITY SOLUTION CLICK HERE

2025 SPRING WEBSECURITY SOLUTION CLICK HERE

2024 SUMMER WEBSECURITY SOLUTION CLICK HERE

The goals of this project:

  • Students are asked to read up on web security basics and write simple web vulnerabilities using Javascript/HTML
  • A series of warm up activities will help ease students into the assignment
  • With their knowledge of web security, the students are expected to attack three targets using the following web exploits:
  • Target 1 – Cross-Site Request Forgery (XSRF)
  • Target 2 – Cross Site Scripting (XSS)
  • Target 3 – SQL Injection (SQLi)
  • Read Ed – Lots of questions are answered there daily. Be sure to check there before asking a question. Note: We will not review code in private posts so please don’t post these.

Intro:

Congratulations! You just started your first day at your summer internship at Red Team Inc., a penetration testing company that specializes in testing customers’ web applications. Your mentor, Jason, introduces himself to you, and lets you know that you’ll be working with him and the rest of his team for the next few weeks doing a penetration test on the payroll site for your own school, Georgia Tech!

To get you up to speed on the skills required to do your job, he starts off by assigning some readings and warm up exercises.

Prior Reading and Important Notes from your Mentor:

This project requires submitting forms. If you do not know how to do so, you may consult http://www.w3schools.com/html/html_forms.asp

This project requires writing JavaScript. Only a very basic knowledge of JavaScript is needed. You may find http://eloquentjavascript.net/ useful if you are completely new to JavaScript. Even if not completely new, you may find chapters 13 (JavaScript and the Browser), 14 (The Document Object Model), 15 (Handling Events), and 18 (HTTP and Forms) particularly useful.

You are required to use the provided templates for all parts of this project.

You are NOT submitting any PHP code in this project. Thus, your exploits should not modify the provided PHP files on the VM besides for debugging purposes. If you do happen to modify the PHP files, make sure you revert your changes when you test your exploit. We test your exploits using your submitted .html files and run them against the original, unmodified payroll server provided in the VM. This is a common mistake our interns make, so please make sure to use the original files to test your final exploits.

This project will require you to read and understand PHP (PHP Hypertext Preprocessor), which runs on a web server and responds to HTTP requests with dynamically generated pages and responses. It essentially works by taking template HTML files and filling them in by running scripts embedded in the template.

Getting Your Development Machine Set Up:

NOTE: The project uses the same exact VM that you used for Malware Analysis. If you already have that up and running there is no need to download it again. The link here is provided only if you wish to download it again.

Link: https://cs6035.s3.amazonaws.com/cs6035_p2_p3_p4_spring2023.ova Use the same username and password you used for project 2:

Username Password
debian debian

Helpful Hints from your Mentor:

  • The primary site we will be exploiting in this project is http://payroll.gatech.edu, which you can only visit on the VM. Please note again that this does not point to a legitimate site in the real world and only exists in the VM. For testing purposes, you may register accounts at your will. However, please DO NOT use your actual passwords and banking account information.
  • The developers for the website have tried to implement some safeguards to protect against some common web exploits. However, these may or may not be effective, and part of your role will be to audit the correctness of their safeguards.
  • The source code of the site can be found on the VM in /var/www/payroll. There is a bookmark added to the file manager to make your job a bit easier.
  • You will be using the Chrome browser to complete all portions of this project. Do not use Firefox. It will fail on some targets and you’ll waste a ton of time.

Use Chrome for this project!

Disclaimer:

This project is solely for educational purposes. Professor Wenke Lee and the people affiliated with his teaching and research are NOT responsible in the event of any criminal charges brought against any individuals misusing the information in this project to break the law. When in doubt, please consult the TAs or Professor Lee regarding any questions or issues you may have.

We hope you enjoy this challenging yet rewarding project. Now onto the details!

Warm Up Exercises – (30 points)

To get you up to speed with web development, your mentor, Jason, has assigned you the following guided learning questions. He tells you to complete these and then report back to him so he can start assigning you tasks. He reminds you about the resources he provided to you earlier. You might find those useful when answering these questions.

1.a – Basic HTML & PHP Questions (Ungraded but very helpful)

Your mentor explains that you should be able to answer the following questions before starting the projects. If you come to his desk and ask him any of these questions, he’ll refer you to this writeup 🙂

  • Describe what HTML is (including what it stands for). What is its role in a website?
  • What does PHP stand for, and how is it used? What is the difference between basic HTML and PHP?
  • What is the delineator for PHP code (i.e., how does the PHP interpreter know when there is server-side code to run)?
  • What is SQL? What is its purpose, and with what is it used to communicate?
  • How does SQL work in a website? Where is the SQL command executed?  Is it done in HTML or in PHP?
  • What is the DOM? What does that stand for?  How does HTML support DOM and how do you access it?  How does JavaScript use the DOM and do things with it?

1.b – Getting to know the browser dev tools

You’ll be using the Chrome browser to solve all problems in this project. The goal is to get you more familiar with the built-in browser developer tools. Chrome is installed in the VM and ready for you to use.

Activity 1 – The Inspector & Console tabs (6 points)

The goal of this activity is to familiarize you with the basic html inspector (‘elements’ tab) and console of the browser tools. To access these tools click F12 or use the menus within the browser to bring them up.

Launch Chrome and navigate to this URL → http://cs6035-warmup.gatech.edu:5000/tools Note: The URL only works in the VM.

Use the inspector (elements tab) and console tabs to answer the following questions about this login screen. Note: You don’t actually log in. The page that shows up at the link IS the site you should use to answer the questions below. You are required to use this template when submitting your answers. This will be autograded so the template is required. https://drive.google.com/file/d/1aKj5c33TFEBEc0kxOt1sWRaMTzuJK2Aj/view?usp=sharing

  1. What is the value of the ‘CanYouSeeMe’ input?
    • Do not include quotes in your answer.
  2. The page references a single JavaScript file in a script tag. Name this file including the file extension.
    • Do not include the path, just the file and extension. Ex: ajavascriptfile.js

Do not include quotes in your answer.

  1. The script file has a JavaScript function named ‘runme’. Use the console to execute this function. What is the output that shows up in the console? ○ Do not include quotes in your answer.

activity1.html (linked above) looks like this when you open it in a browser. Edit this file and replace Your Answer Here with your answer. Note: Do not include quotes around the answer. Submit this file with your answers.

Activity 2 – Network Tab (6 points)

The goal of this activity is to familiarize you with the network activity between the browser and the server. Use the network tab to understand how HTTP requests are sent to the server and what types of data come back in the responses. You are required to use this template when submitting your answers. This will be autograded so the template is required. https://drive.google.com/file/d/1-aX8FjmrsgQ6VCpt7mNixD7zVZ44mykv/view?usp=sharing

Step 1: Launch Chrome and navigate to this URL → http://cs6035-warmup.gatech.edu:5000/tools Open the network tab.

Step 2: Click on the ‘Sign In’ button. No need to provide any credentials, leave them blank. Use the network tab to answer the following questions.

  1. What request method (HTTP verb) was used in the request to the server?
    • Do not include quotes in your answer.
  2. What status code did the server return? ○ Include just the code. Ex: 200
    • Do not include quotes in your answer.
  3. The server returned a cookie named ‘JWT’ for the browser to store. What is the value of this cookie?
    • Do not include quotes in your answer.

activity2.html (linked above) looks like this when you open it in a browser. Edit this file and replace Your Answer Here with your answer. Note: Do not include quotes around the answer. Submit this file with your answers.

Activity 3 – Echo XSS (5 points)

The goal of this activity is to ease you into one of the most prominent types of web-based attacks: Reflected XSS (Cross Site Scripting)

Launch Chrome and get ready! You’ve found a webpage that echoes back a query parameter that

you provide in the request to the server. Navigate to this URL to test it out → http://cs6035-warmup.gatech.edu:5000/tools/echo?payload=SampleText

  1. You can do more than just echo back text. Construct an html page such that a JavaScript alert dialog appears with the text cs6035 on the screen.
    1. Note: It is Required that the URL in the browser after opening your file starts with this -> “http://cs6035-warmup.gatech.edu:5000/tools/echo”
    2. You will lose all points if the URL doesn’t start with the string above since this is not actually an XSS attack.
  2. You are required to use this template when submitting your constructed URL. This will be autograded so the template is required.

https://drive.google.com/file/d/1QGJAQFcCICWCLuIu4wU4h774N-YgfruY/view?usp=sh aring

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate user interaction using the same exact browser and VM that you have. It will do the following for this activity:

  • Launch your activity3.html file
  1. Only modify the URL value of the HTML template

1.c – Working with HTML forms & JavaScript

Activity 4 – Submitting forms (5 points)

The goal of this activity is to familiarize you with HTML forms. You need to construct an html page that will submit a simple form to the server. Complete this activity from within the VM using the Chrome browser.

Here are your requirements for building the html file:

  • The form MUST autosubmit. The autograder will not click any buttons nor will a TA.
  • The URL that you need to submit your form to → http://cs6035-warmup.gatech.edu:5000/forms
  • You need to POST the form to the server
  • You need to provide a URL query parameter in your submission
    • IsHoneyPot with a value of false
  • You need to provide the following form input values
    • Name: ‘GATechID’; Value: your Georgia Tech ID, Example: 9101234

○ Name: ‘MagicNumber’; Value: Any number, ex: 5

  • You are required to use this template when submitting your constructed URL. This will be autograded so the template is required.

https://drive.google.com/file/d/1ELWaN92kau78875zgnYOz7Rbx_1vSOKc/view?usp=sharing Once you successfully submit the form, you’ll see a message similar to the following: “Congratulations!, you’ve successfully finished this activity. The answer is <REDACTED>”

You MUST see this page to receive credit for this activity!

Upload activity4.html which is the form that you constructed.

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate user interaction using the same exact browser and VM that you have. It will do the following for this activity:

  • Launch your activity4.html file
  1. The page MUST autosubmit
  • Verify that the URL of the page starts with http://cs6035-warmup.gatech.edu:5000
  • Verify that the text “Congratulations!, you’ve successfully finished this activity. The answer is <REDACTED>” appears in the resulting page.

Activity 5 – Accessing the DOM with JavaScript (8 points)

In this activity you’ll complete a JavaScript function that will utilize the DOM (document object model) to fetch several values in a sample website and print them to the page. This will give you a little insight into how the DOM works and ways you may retrieve these values and trigger/handle events.

  • You must use the template provided here. Failure to do so will result in a zero for this section.

https://drive.google.com/file/d/1QKD2MGlZqsrg9fmCr60H3fseQ1fdMQ3N/view?us p=sharing

  • Your task is to write JavaScript in the provided function that meets each goal specified in the comments. Do not change any code outside of this function.
  • Once completed, your page will look similar to the screenshot below. The values will be different when we grade your function so do not hard-code any value we’re asking you to fetch with JavaScript.
  • To get started, simply download the template above. You’ll see a page launch with several TODOs. View the source and begin editing the function provided in the template you downloaded.

Example Output Expected:

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate user interaction using the same exact browser and VM that you have. It will do the following for this activity:

  1. Launch your activity5.html file, Note: you must use our provided template.
  2. Verify that each item in the JavaScript file is correctly displaying on the page.
  3. The order of the items on the page DOES matter. It must look like the screenshot above. If the page is out of order then you’re missing something or not correctly meeting a requirement.

Target 1: XSRF (20 points)

Having completed the warmup tasks Jason assigned (you did do them, right? They’re a lot of fun), you walk up to him for your first task. He explains that he has discovered a vulnerability in the GT payroll site that he’d like you to craft a proof-of-concept exploit for. Suppose a user, say Alice, is already logged into the Georgia Tech payroll site located here in the VM -> http://payroll.gatech.edu. He noticed that you can craft a web page so that when Alice visits your web page, she gets redirected (NO popups) to the Georgia Tech payroll page with her account number and routing number set to some values of her choice.

Not wanting you to use your own bank account information (for obvious reasons), Jason tells you to use some information from a script that he wrote.

To fetch your bank account number and routing number, run the get_bank_info script inside the VM and pass in your GTID# (e.g. 903094111). Example command on the terminal:

debian@debian:~$ get_bank_info 903094111

Here is an example of what the script will print out:

Username: 903094111

Account number: 615421199

Routing number: 3775278306

NOTE: This is not the Georgia Tech Username, it is the numeric GTID# that you can find on your Buzzcard or here: https://public.webapps.gatech.edu/cfeis/gtid/.

If you enter the wrong GTID#, which generates a different account and routing number, your exploit will fail our scripts, and you will receive zero points for this part, so be sure to double and triple check.

The user must NOT see the contents of your crafted page! However, a split second due to browser rendering is acceptable. This is because in a real-world attack, the attacker might send this page via email to a user as part of a social engineering attack, and if the user sees the contents of the page it would arouse suspicion. We want the PoC to be as realistic as possible to drive home the point to the client.

Deliverables

  • html
  • You are required to use this template when submitting your constructed URL. This will be autograded so the template is required.

https://drive.google.com/file/d/1lcL8k_PgfZBegcpMdgtJ-BCszIhnzCyK/view?usp=sharing

Milestones

A successful attack earns 20 points automatically.

If you are unable to complete the task, you will earn partial credit as follows:

Points Milestone (you earn points in this order)
10 out of 20 pts You see the “CSRF attempt prevented!…” message with your exploit and cannot progress further.
20 out of 20 pts Able to change the account number and routing number without extra browser tabs or popups. If you get to this point you’ve earned the full 15 points.

Caution: Double check that the values you use are the ones assigned to you by running get_bank_info. You WILL lose points even if the value is off by one.

Notes

You can visit your web page by entering the path of your file in the browser URL bar. For example, this would be file:///home/user/t1.html assuming that your exploit lives in /home/user/. You can also simply double click to open the file in Chrome. This opens your exploit in another tab but this is OK and it works. Your actual exploit code must NOT open a new tab via JavaScript or other means. You can also open your file using the CTRL+o hotkey.

Do NOT use relative paths for site URLs in your exploits.

  • WRONG -> /somefolder/somefile.php
  • CORRECT -> http://payroll.gatech.edu/somefile.php

We see this every semester from a handful of students. Your exploit will fail, and you will not receive credit.

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate button clicks using the same exact browser and VM that you have. It will do the following for Task 1:

  • Log into the site using a known good username and password.
  • Launch your t1.html file in the same open tab
  1. It must auto-submit!
  • Verify that the URL starts with “http://payroll.gatech.edu”
  • Verify that the Changes Saved is on the page and that the account number and routing number matches your assigned values. Do not use 1234567890 as this is just an example. See the screenshot below.

Target 2: XSS Username and Password Theft (25 points)

Now that you’ve finished your PoC exploit for the first vulnerability, Jason thinks you are ready to write one for a potentially more-severe vulnerability. He noticed that you could steal a user’s username and password. You can craft a web page such that whenever a victim, say Bob, visits the

page (by clicking the attachment in a phishing email), it will redirect him (NO popups) to http://payroll.gatech.edu/ with a malicious script injected into the page.

The web page should look as if Bob visited the site directly without going through your page. When Bob enters his login information into the page and clicks Log In, an email with his username and password will be sent. Jason asks you to craft such a PoC web page. You will have to send the email to the local user account on the virtual machine.

This attack requires an email to be sent to user on the system. The good news is that you can use hackmail:

http://hackmail.org/sendmail.php

Open the above URL from within virtual machine for instructions on how to send emails via your attack script. Any mail that the user account receives will appear in /var/mail/user file. A bookmark has been added to the file manager for your convenience. Note: Initially the user file will not be there. Your exploits will cause it to be generated.

Requirements

  • The attack must be performed using XSS. Providing a phishing web page will result in 0 points. The browser URL bar should contain the domain payroll.gatech.edu and not a phishing URL. If you find yourself copy and pasting html code from the payroll site into your t2.html then you’re likely heading down a very wrong path.
  • The email payload should be the user’s username (login) and password separated by a single space. i.e. username password <- notice the space!

○ The sender of the email (look at the screenshot below before asking questions) should be set to

MjAyM1NwcmluZyYmRWFzdGVyRWdnYGBUYXJnZXQyLVRoaXNPbmVDYW5CZUR pZmZpY3VsdF5e

○ Failure to follow this format will result in 0 points for this part.

  • The redirected page must be cosmetically identical to the original page. The web page source can be different as long as the user cannot tell without looking at the source. This may take some trial and error. This part can be difficult! Use the developer tools to help you. Extra html characters such as < and > are not ok. Shifted alignments that can be noticed are also not ok. You should be able to hide all traces of your injected script.
  • The page must be functionally identical. This means the user can log into the site in the normal fashion and will not notice any visual/functional differences. Yes, you must be able to log in to pass this test.

Deliverables

  • t2.html

Sample t2.html deliverable:

You are required to use this template when submitting your constructed URL. This will be autograded so the template is required.

https://drive.google.com/file/d/1s5WmU6Ygu8CTl0VfIQeyupr9-CDZ_a6I/view?usp=sharing

Milestones

A successful attack earns 25 points automatically.

If you are unable to complete the task, you will earn partial credit as follows:

Points Milestone (you earn points in this order)
10 out of 25 points Can inject a script and send an email to the user account but cannot progress further
25 out of 25 points Steal the user’s username and password and send them to the user account via email.

Caution: The values need to be exactly correct.

Extra spaces, quotes or anything WILL result in

point loss. The exploited web page must be cosmetically identical to the original website. Hint: your exploit may initially introduce odd styling issues or show characters on the page.

You must hide these.

Notes

We suggest playing around with hackmail outside of your exploit to make sure you can generate data within the “user” mail file. Right click it and open with the Text Editor to view the contents. Do not delete the user file. If you do, hackmail will create a new one but you may be required to run Linux commands in order to view the contents. Just don’t delete it.

Use the developer tools built into Chrome. Simply click F12 in Chrome and you’ll see the dev tools pop up at the bottom. This tool is your friend, get to know it and use it to help you through this task.

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate button clicks using the same exact browser and VM that you have. It will do the following for Task 2:

  1. Open your t2.html file
    1. It must auto-submit!
  2. Verify that the URL of the page is correct and that it is cosmetically identical to the original site. See screenshot below.
  3. Input a known good username
  4. Input a known good password
    1. Note: Your code does not need to handle invalid username and/or password. We’ll only test happy path.
  5. Click the Log In button
  6. Inspect the file system for the user file
  7. Validate that the user file contains username and password and that the sender is

MjAyM1NwcmluZyYmRWFzdGVyRWdnYGBUYXJnZXQyLVRoaXNPbmVDYW5CZURpZm ZpY3VsdF5e See screenshot below.

  1. Ensures that the user is logged in correctly. Your exploit cannot break the login functionality of the site.

After opening t2.html, the resulting web page should look exactly the same as the legitimate site. Notice there are no cosmetic differences! The reason, you ask, is because it IS the payroll site and not a phishing site. Hint: your code needs to inject and redirect to the payroll website. Do not reconstruct a version of the site within t2.html. This is wrong.

The email should be sent via hacker mail.

Target 3: SQL Injection (25 points)

Impressed with how much you’ve learned so far (and in so little time), Jason thinks he can entrust you to create a final PoC HTML webpage with the following requirements to show the website developers how easy it is to bypass their site’s authentication:

  • The crafted page has a text field for the username and a submit button. ○ NO password field!
  • The user of this page is not logged into Georgia Tech payroll system, but when he or she enters a valid Georgia Tech payroll registered username (for example, judyhopps) and clicks submit, the user is redirected to http://payroll.gatech.edu/account.php and logged in as judyhopps.
  • Do NOT execute destructive SQL commands such as DROP tables. System administrators can easily detect data loss!
  • Do not change the id of the input field ‘targetlogin’, and the button id ‘exploit’. This is very important as the autograder specifically looks for these elements. Failure to include them will result in a zero for this target. See the template below.

Deliverables

  • t3.html

Sample t3.html deliverable:

You are required to use this template when submitting your constructed URL. This will be autograded so the template is required.

https://drive.google.com/file/d/1C8CDBSLerl-RQZZAWJm4GH1CVboKwcwN/view?usp=sharing

Milestones

A successful attack earns 25 points automatically (so long as it does not execute destructive SQL commands).

There are no partial credit opportunities for target 3.

If you implement the attack with a destructive SQL command that causes our scripts to fail to grade your target you’ll not receive points for this Task. You will not need to modify the database schema in any way in order to exploit this.

Example of Successful Exploit

Our autograder is a Selenium script so it will simulate button clicks using the same exact browser

and VM that you have. It will do the following for Task 3:

  1. Launch your t3.html file in Chrome. See screenshot below.
  2. Find the targetlogin input field and replace whatever text is there with a known good username
  3. Find the exploit submit button and click it
  4. Inspect the resulting redirected page to ensure it is the correct page, see screenshot below, and that the user is successfully logged in.
  5. Ensure that the resulting redirected page is cosmetically & functionally identical to the original site.

After visiting t3.html, the page displays an input field for the attacker.

After typing in the username of an existing user in the payroll system, you should be successfully logged in. The site should function as if you are logged in legitimately.

The final deliverables:

Log into Gradescope and submit all files. See below for a screenshot.. File names must exactly match and they should not be zipped up.

Note: Your submission is not autograded in Gradescope like other projects. You will not get feedback until after the project closes and our Selenium autograder is run.

Acknowledgements

  • Special thanks to Professor Vitaly Shmatikov for the inspiration of this project and his permission to modify and reuse his materials. You may find more about him and his research here:

http://www.cs.cornell.edu/~shmat/

 

Rubric Points Totals

1. Warmup Exercises 30
i. Activity 1: Input Value 2
ii. Activity 1: Javascript File 2
iii. Activity 1: Function Output 2
iv. Activity 2: HTTP Verb 2
v. Activity 2: Status Code 2
vi. Activity 2: Cookie Value 2
vii. Activity 3: activity3.html 5
x. Activity 4: activity4.html 5
xi. Activity 5: activity5.html 8
2. XSRF 20
i. Partial Credit Only: You see the “XSRF prevented” message with your exploit but did not accomplish the update. 10 out of 20 pts
3. XSS Username and Password Theft 25
i. Partial Credit Only: Can inject a script and send an email to the user account but did not accomplish stealing the correct credentials. 10 out of 25 pts
4 SQL Injection 25

 

  • P04-eugzmy.zip