Practical Exercise 10
Due Friday by 23:59 Points 20 DUE 11:59pm Fri 12th Jun.
Websub available. Aims:
• Perform XSS & SQL injection penetration tests.
• Protect against SQL Injection and XSS by sanitizing data.
Assessment:
This practical contains 3 parts worth a maximum of 20 points and contributes 2% to your final course grade.
You only need to complete 20 points worth of tasks to achieve full marks, and may do so using any combination of the tasks in all parts.
Before you begin
• Create and checkout a new folder in your SVN repository at https://version- control.adelaide.edu.au/svn/aXXXXXXX/2020/s1/wdc/prac10 .
Part1-XSS
Task 1.1 (7 points)
• Download and start THIS (https://myuni.adelaide.edu.au/courses/54385/files/5749805/download?wrap=1) express server, and load it in a web browser.
◦ Use npm install to prepare the server & npm start to run it.
• Find a XSS vulnerability in the site.
◦ You can do this by performing tests and reviewing the server code, BUT
◦ If you’re up for a challenge, try doing this without looking at the server code.
◦ If you need to login, you can use Trudy’s account with username trudy and password hacker .
• Exploit the XSS vulnerability so that the next time Alice, the admin user, logs in and views an affected page, their session cookie is copied to a public section of the website.
• Once you’ve found the exploit, use Insomnia to re-create the HTTP request used to make the attack and copy the request as a cURL to a file called task1-1.sh in your prac10 folder.
◦ You may assume Trudy is already logged in for your submission.
◦ Partial marks are available if you still find the exploit, but don’t reveal Alice’s
session.
Guide
• Review Lectures & resources from week 12
• Review THIS (https://www.w3schools.com/js/js_cookies.asp) W3Schools page on
cookies
• Try the XSS exercises on THIS (https://xss-game.appspot.com/) page.
You should now have an idea of how to perform and protect against a XSS attack.
Task 1.2 (7 points)
• Modify the server so that it is not vulnerable to this attack.
• Save your newly secured server files in your prac10 folder. Do NOT include the
node_modules folder in your submission.
Part 2 – SQL injection
Task 2.1 (7 points)
• Start the express server from Task 1.1, and load it in a web browser. • Find a SQL injection vulnerability in the site.
◦ You can do this by performing tests and reviewing the server code, BUT
◦ If you’re up for a challenge, try doing this without looking at the server code. • Exploit the SQL Injection vulnerability to give the user Trudy admin privileges.
◦ Verify this by logging in as Trudy and attempting to access the admin page. ◦ Trudy’s username is trudy and password hacker .
Guide
1. Use the sanitize-html package (already installed) to protect the server.
• Once you’ve found the exploit, use Insomnia to re-create the HTTP request used to make the attack and copy the request as a cURL to a file called task2-1.sh in your prac10 folder.
◦ You may assume Trudy is already logged in for your submission.
◦ Partial marks are available if you still find the exploit, but don’t gain admin.
Guide
• Review Lectures & resources from week 12
• Review THIS (https://www.w3schools.com/sql/sql_injection.asp) W3Schools page
on SQL injection
• Try the SQL injection exercises on THIS (https://sqlzoo.net/hack/) page (note,
some parts of this site are broken).
You should now have an idea of how to perform and protect against a SQL injection attack.
Task 2.2 (7 points)
• Modify the server so that it is not vulnerable to this attack.
• Save your newly secured server files in your prac10 folder. Do NOT include the
node_modules folder in your submission.
Guide
1. Use prepared statements to secure the server.
Remember, protecting your users and your site is up to you. Don’t be lazy and cut corners on sanitizing – that’s how you get hacked.
Part 3 – XSRF
Task 3.1 (7 points)
• Start the express server from Task 1.1, and load it in a web browser.
• Find a XSRF vulnerability in the site.
• Create a webpage that exploits the XSRF vulnerability so that the next user to visit
your webpage publishes a blog post that says “I IS 1337 HAX0R”.
• Save this page in a file called task3.html in your prac10 folder.
Guide
• Review Lectures & resources from week 11
You’re Done!
• Be sure to submit any files you haven’t already submitted.