网络安全代写 | GT CS 6262: Network Security Project 2 : Advanced Web

这个作业是完成XSS攻击和浏览器框架拓展等相关网络安全的程序
GT CS 6262: Network Security
Project 2 : Advanced Web

Project Tasks ( 100 points):
Part 1: XSS Attack and Browser Extension Framebuster – (50
points)
Overview
This part aims to help you understand how you can spoof regex detectors with a maliciously crafted
text string. Indeed, detecting XSS attacks with regex is a bad idea in reality. We want you to
experience it by conducting XSS attacks with your own scripts and bypassing the vulnerable XSS
defender.
This website contains 3 input fields. Each input will be examined by three different regex patterns.
Your job is to compose 3 different XSS attacks which are able to bypass those 3 regex patterns. Be
careful that your attacks should be EXECUTABLE html code in web browsers.
Remarks:
1. YOUR CODE MUST BE EXECUTABLE FOR FULL CREDITS. IF YOUR CODE PASSES OUR
REGEX FILTER BUT NOT EXECUTE, YOU WILL NOT RECEIVE FULL CREDITS. (You receive
partial credits if your XSS passes the filter but NOT executes. However, you don’t receive
any credit in the other case (i.e., executable but failed to pass the filter)
2. FOR GRADING PURPOSES, YOU MUST INSERT ALERT IN YOUR XSS ATTACK PAYLOAD.
Alert is a built-in javascript function for a pop-up message.
You are responsible for ensuring your XSS attacks are valid HTML so that the alert should be
properly interpreted and run by the web browser. Getting the SUCCESS response means your XSS
GT CS 6262: Network Security
attack bypassed our regex filter, but it does NOT necessarily imply that your script is executable.
You can learn foundations of XSS and RegEx in following links:

A whole script attack consists of opening and closing script tags that embeds JavaScript
statements in-between. Attackers inject the malicious code into the victim’s page in order to
exfiltrate the sandbox (e.g., Same Origin Policy) of web browsers.
For more details, please read this paper:
Protection, Usability and Improvements in Reflected XSS Filters
Frame Busting
An iframe is a HTML tag that embeds another HTML document in the current web page. The
origin of the embedding HTML document could be different to the one of the host webpage that a
user is visiting.
Frame-busting is a technique that protects clients from clickjacking. It prevents web pages from
being rendered inside a frame.
GT CS 6262: Network Security
One method to block client-side clickjacking is to place the following JavaScript snippet in each web
page:
Chrome Extension
You will create a Google Chrome Extension to:
• Bypass the frame busting technique used in the sample website
If you are unfamiliar with browser extension development, check out a demo extension in the
demo-color-changer-chrome-extension folder.
The most important component of a Chrome browser extension is the manifest.json file. It
looks like:
{
“name”: “CS6262 Extension”,
“description”: “A simple extension”,
“version”: “1.0”,
“permissions”: [
“tabs”,
“notifications”
],
“background”: {
“scripts”: [“frame_buster.js”],
“persistent”: false
},
“browser_action”: {
“default_title”: “Does something”,
“default_icon”: “icon.png”
},
“manifest_version”: 2
}

Part 1 Grading
General Requirements
• Do not use the “sandboxing attribute” of the browser to bypass the frame buster. Doing so will
result in zero credit.
• Your extension must not pop up any kind of alerts which requires user interaction.
• You may use automatic notifications but no JavaScript alerts.
• Pop-ups that require user interaction will result in zero credit.
• Please make sure the page can be loaded within 3 seconds, otherwise will result in zero
credit.
• Do NOT hardcode any URLs in your source code. Your extension should work for ANY
website if the same vulnerability is present. Otherwise, a 10 point penalty will be applied to
your project grade.
• Your extension must work for the original Google Chrome in the given VM. We will not grade
your extension outside the VM nor with other versions of Google Chrome in any different
environment.
GT CS 6262: Network Security
• No external libraries are allowed.
XSS Requirements
• You may not use the same XSS attack on multiple inputs. Each attack must be unique!
• Hard coded ‘Success’ is prohibited and will result in a 0.
• Your three answers should be placed on three separate lines in xss_attacks.txt
• Code must be executable.
• Must use alert in payload.
Frame Bust Requirements
• Your extension must not modify the appearance of the framed page. It should look exactly
the same, pixel-by-pixel. Otherwise, a 10 point penalty will be applied to your project grade.
• Remove all references to files other than frame_buster.js from your manifest.json. You should
not reference any other file like icon.png etc. Referencing files other than frame_buster.js may
result in a 0 for this portion.
Deliverables
• manifest.json
• xss_attacks.txt
• frame_buster.js

Part 2: GTShop Vulnerabilities – (50 points)
Overview
The objective of this part is to help you understand some vulnerabilities that can be exploited in
websites in a practical fashion.
You will be exploiting open redirect and clickjacking vulnerabilities. This portion of the project is
broken into two parts: Open Redirect and Clickjacking.
Inside the VM, open Firefox by clicking on the browser icon located near the Start Menu. The
browser should automatically bring you to the GTShop web page.You should see an online store that allows you to buy products.
Note: This shop is only accessible within the VM. Accessing the URL outside of the VM will bring
you to a different website.
The GTShop has several vulnerabilities, which include susceptibility to open redirect and
clickjacking.
Open Redirect
Overview
Open redirect is a session management related vulnerability that redirects the user to an unchecked
domain or site. Generally, this vulnerability may be benign, but it can be used as a channel to deliver
GT CS 6262: Network Security
a browser exploit by redirecting users to a specifically crafted site.