[SOLVED] Web Security CS6035 SUMMER 2024 Flag1 to 4

100.00 $

Category:
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon WEBSCURITY2024-zdqoe1.zip (3.6 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
🔒 Securely Powered by:
Secure Checkout
5/5 - (2 votes)

2025 FALL WEBSECURITY SOLUTION CLICK HERE

2025 SPRING WEBSECURITY SOLUTION CLICK HERE

FALL 2024 SOLUTION LINK 

BACKGROUND:

Welcome to the GA Tech bookstore website. It’s a place where you can read and review all of the classics. The creators of the website were pretty junior but ambitious. They created the website in only 2 days! They knew a few things about security and did their best but left some vulnerabilities behind. Your job is to seek these out and find the problems.

SETUP:

To get set up for the flags, carefully follow the steps below. Log into the VM with the websec user. The password should be in Canvas

Run this at the terminal to start the Bookstore Website

./StartContainer.sh

project_websecurity.json is available in the /home/websec/Desktop folder. Put all flags in this file and submit it as your final deliverable.

  • Throughout the project you should only use Chrome. No other browsers are supported for the student grader.
  • You can use any html editor you choose but we like vscode. It’s not currently installed on the VM but can be installed on your host machine.
  • Navigate to this URL using Chrome within the VM to access the Bookstore Website: http://localhost:7149/
  • There is one registered user in the database. You can log in as this user as needed.
    • GTID: Your assigned GTID# (e.g. 903094111)
      • Note: This field will remain the same for the entire project.
      • See the Required Reading page to get your GTID.
    • Username: ilovetoread
    • Password: TheGreatGatsby123
  • The Bookstore Website uses a database to store data. In some cases you may find the need to reset this database. There are also times when the student grader will reset the database before running your exploit. To do this manually navigate to this URL and click the button to reset the database:

TESTING:

You will need to execute a StudentGrader script to test your exploits for all flags. The StudentGrader is a script that will

  1. Launch the html file that you craft for your flag
  2. On some flags the Bookstore Database will be reset automatically
  3. Use the Selenium Chrome Driver to test and assert that your exploit worked correctly
    • Here is a link just in case you’re interested in learning more about the Selenium Chrome driver. Understanding this is not required to be successful on this project. [Chrome Driver Docs] (https://chromedriver.chromium.org/getting-started)
  4. If successful, it will return your flag

Run this at the terminal to test your exploit for a flag

./StudentGrader.sh –flag X –gaTechId Y –filePath Z

Here are the valid parameters for the StudentGrader script

Parameter Name Valid Values Description
–flag 1,2,3,4 The flag you’d like to test. This matches up to the numbers below
–gaTechId 123456789 Your Assigned GTID
–filePath Any valid file path ex: /home/websec/Desktop/flag1.html The path where your exploit file is saved

 

 

Projects / Web Security / Flag 1 Flag 1: Web Intro – 25 Points

Youʼve stumbled upon a publicly available web page that is not finished. It seems like the developers are still working on it but somehow published it to production by accident. The page does not have a link in the main menu so the developers thought no one would find it. Challenge accepted!

Download the required starter template using Chrome here:

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader:

  • Find the Contact Us web page. Remember that you wonʼt find a link in the main navigation.
  • Now that you have the URL to the Contact Us web page you need to “fetch the server content” in the flag1.html file.
    • Double click to open flag1.html in Chrome
    • Launch the Chrome developer tools using the menu in Chrome
    • Do some independent research on how you may find and look at JavaScript code using the Chrome developer tools
    • Write some JavaScript code in your flag1.html file to load up the Contact Us page.
  • In the getStudentAnswers function, write JavaScript code to programmatically fetch the following values and set them to the provided variables:
    • The value provided in the Organization text box
    • The radio button value selected in the “Please reply by” section
    • The value of the session storage with key = “contactedBefore”
  • The Contact Us web page sets one or more cookies. Unfortunately, it wonʼt show up for you to access using JavaScript. That wonʼt stop you from learning the value. Use the Chrome Dev tools to search for http requests and find the cookie name and value set by the Contact Us web page. Assign these to the variables provided in flag1.html as hard-coded strings. Note: There may be more than one cookie so find the one that is actually set by the Contact Us page or simply try all values by trial and error.
    • While copying the cookie Value make sure you have the Show URL-decoded option checked
  • Events are an extremely important concept to understand when working with websites. They allow you to execute code at a later time when something interesting happens.
    • Write code that will set the City text input to Atlanta and the State text input to Georgia
    • Somehow delay this code so that it only executes when the submit button at the bottom is clicked.
    • Note: Weʼre not asking you to click the button either using code or manually on the webpage.

HINTS:

  • Often times, websites will publish sitemaps that contain page URLs. Hint: find and inspect the sitemap contents.
  • Are you using AJAX to fetch server content? Youʼre headed down a wrong path. Examine ALL JavaScript available to the page and use this hint from above to continue forward: “fetch the server content”.
  • Use the Chrome dev tools to Inspect html elements. The “Elements” tab shows a graph of the entire html dom
  • The Network tab allows you to see the raw http requests between the browser and server
  • Do not hard code any values except the cookie name and value detailed above. We check for this in your file and it will fail the grader.
  • Getting Selenium errors about missing content? Try to open the file directly in Chrome and look for errors in the console.

FLAG TESTING:

To test your flag1.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. websec@cs6035:~$ ./StudentGrader.sh –flag 1 –gaTechId 923456789 –filePath /home/websec/Desktop/f

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag1 in project_websecurity.json.

Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.

 

Projects / Web Security / Flag 2 Flag 2: XXS Part I – 25 Points

Congratulations, youʼve made it this far! Now youʼve noticed some strange behavior. You were experimenting with reviews and found you can post basic html tags and images in the reviews! The developers of the site wanted reviews to be a rich user experience and not just plain text. With great power comes great responsibility though. Youʼve found a way to nefariously inject code that runs when any victim loads a page with your exploited review.

This flag will introduce you to the basics of XSS (Cross-Site Scripting) attacks. Specifically youʼll leverage these:

Download the required starter template here:

To earn your flag you must alter the template so that it performs these steps when you open it in a browser or run it using the grader.

  • Create a nefarious review for the book Hamlet:
    • The title of the review should be Reflected XSS – Cookies at the top
    • The rating should be 1
    • Recommended should be true
    • The reviewer should be your GTID (ex: 901234567)
  • The review should contain a script that you craft. This script will execute anytime the review loads in a browser. It will execute for anyone and everyone, very dangerous! You are not a bad hacker out to make money so you only want to make an example and not do real damage.
    • The script must print out all of the site cookies to the userʼs screen. To do this, your code must replace the text “Welcome to the Georgia Tech Bookstore. Here you will find the classics.” with the cookie contents (There could be one or more cookies that replace the text).

Site With Original Text

Site With Text Replaced

  • Note: Your script must not change the structure of the “h5” tag. Only replace the text contained within the “h5” tag.
  • After creating the review with the nefarious code, your file must redirect (load) the details page for Hamlet.

HINTS:

  • Tackle the problem in small parts and then layer in complexity. You can test some of your code exploits directly in the bookstore website before compiling it into the template
  • There are some features in React that should set off red flags. Ex:

https://legacy.reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml

  • Use the Chrome dev tools to watch what happens outside of an attack. The Network tab should give clues. The “Preserve Log” checkbox is your friend.
  • You will need to write JavaScript. Some of this code will execute immediately in your flag2.html file while the remaining part of the code should not be executed but instead be injected into the review somehow to run later.
  • The developers knew about XSS and put some protections in place. It would be helpful to find and understand this as you may need to defeat it.
  • You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.

FLAG TESTING:

To test your flag2.html file and receive the flag, run this command at the command line. Note: replace the gaTechId with your actual GTID. websec@cs6035:~$  ./StudentGrader.sh –flag 2 –gaTechId 923456789 –filePath /home/websec/Desktop/

Note: The grading script will reset the database before it executes your file. Be prepared as any data you have created will be lost.

Your web output will look similar to this:

The grader from the output will look similar to this. Copy the flag to flag2 in project_websecurity.json.

Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.

CS 6035

Projects / Web Security / Flag 3 Flag 3: XXS Part II – 25 Points

Malicious user input can be provided using the same techniques, but through different attack vectors. Youʼve already persisted malicious data in a review and want to see if there are any other areas of the site that are susceptible to data manipulation. Using your newly acquired XSS skills, you go hunting for more ways to perform this method of attack.

In order to successfully exploit another XSS attack, you will need to figure out another way the site accepts user input and employ a similar technique to perform whatʼs called a reflected XSS attack. This means the XSS code does not reside in the webpage and does not persist, but is malicious code input in the request and returned in the response. You notice there is a page that allows the user to search for a book and wonder if this page can be exploited.

Your goal is to display a javascript alert containing the text CS6035 on the search page.

You can use the same XSS resources from the previous flag in addition to reflected XSS resources:

Download the required starter template here:

To earn this flag by performing the following steps:

  • Examine the search page.
  • Find a way to pop up a javascript alert containing the text CS6035.
  • Add your code to the input of the flag 3 template.
  • Launch the template which should auto-submit to the search page and perform the attack.

HINTS:

  • The search result may be returned after the page is loaded which means you may not be able to inject a script that relies on the loading phase of the document object model (DOM). Find other elements and script techniques to inject after page load.

FLAG TESTING:

A successful attack looks similar to this screenshot:

To test your flag3.html file and receive the flag, run this command at the command line:

The grader from the output will look similar to this. Copy the flag to flag3 in project_websecurity.json.

Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.

7/15/24, 1:21 PM                                                                                                           Flag 4 | CS 6035

CS 6035

Projects / Web Security / Flag 4 Flag 4: CSRF – 25 Points

Congratulations on reaching this stage! Youʼve already navigated through various challenges, and now itʼs time to delve into the intricacies of Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that tricks a user into submitting a request to a web application where they are authenticated without their knowledge or intent. This can lead to unauthorized actions being performed on behalf of the user.

For further exploration and a deeper understanding of CSRF and its prevention, consider the following resources:

Youʼve learned of a vulnerability that exists on the bookstore website. It appears you can craft an html file that resets a userʼs password to one of your choosing when they open it. You plan to embed this file in an email and see who actually clicks on it. Theyʼll never know!

Download the required starter template here:

You must reset an unsuspecting userʼs password to csrfspring2024 Note: You will not know who the user is so your crafted html file should work for any user of the website.

Earn this flag by performing the following steps:

  • Log into the book store website using the account we provided earlier in the project description
  • Note: If you donʼt understand why logging in ahead of time is required, be sure to read more about CSRF attacks.
  • Launch your crafted flag4.html file by double clicking it or pasting in the file:///path-to-flag4.html in a new tab
  • The new tab will open and automatically reset the userʼs password to csrfspring2024

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag4.html              1/2 7/15/24, 1:21 PM Flag 4 | CS 6035

  • Note: The file must auto-submit. The autograder will not click any buttons you may have put on flag4.html

Hints:

  • Use Chrome dev tools to watch what happens outside of an attack. The Elements, Sources, and Network tab should be helpful.
  • The developers knew about CSRF and put some protections in place. Understanding where these protections are and how they work is the key to exploiting them.
  • You may need to reset the database from time to time to start with a clean slate. Be sure to follow the steps in the Setup section above to complete this.
  • Be sure to pass the GTID as a string and not an int

FLAG TESTING:

To test your flag4.html file and receive the flag, run this command at the command line: websec@cs6035:~$  ./StudentGrader.sh –flag 4 –gaTechId 923456789 –filePath /home/websec/Desktop/

The grader from the output will look similar to this. Copy the flag to flag4 in project_websecurity.json.

Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.

https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Web_Security/Flag4.html                                                                                      2/2

  • WEBSCURITY2024-zdqoe1.zip