网络安全代写 | GT CS 6262: Network Security Project 2 : Advanced Web

GT CS 6262: Network Security
Project 2 : Advanced Web

Project Tasks ( 100 points):
Part 1: XSS Attack and Browser Extension Framebuster – (50
points)
Overview
This part aims to help you understand how you can spoof regex detectors with a maliciously crafted text string. Indeed, detecting XSS attacks with regex is a bad idea in reality. We want you to
experience it by conducting XSS attacks with your own scripts and bypassing the vulnerable XSS defender.

This website contains 3 input fields. Each input will be examined by three different regex patterns.

Your job is to compose 3 different XSS attacks which are able to bypass those 3 regex patterns. Be careful that your attacks should be EXECUTABLE html code in web browsers.
Remarks:
1. YOUR CODE MUST BE EXECUTABLE FOR FULL CREDITS. IF YOUR CODE PASSES OUR REGEX FILTER BUT NOT EXECUTE, YOU WILL NOT RECEIVE FULL CREDITS. (You receive partial credits if your XSS passes the filter but NOT executes. However, you don’t receive any credit in the other case (i.e., executable but failed to pass the filter)
2. FOR GRADING PURPOSES, YOU MUST INSERT ALERT IN YOUR XSS ATTACK PAYLOAD.
Alert is a built-in javascript function for a pop-up message.
You are responsible for ensuring your XSS attacks are valid HTML so that the alert should be properly interpreted and run by the web browser. Getting the SUCCESS response means your XSS GT CS 6262: Network Security attack bypassed our regex filter, but it does NOT necessarily imply that your script is executable.
You can learn foundations of XSS and RegEx in following links:

A whole script attack consists of opening and closing script tags that embeds JavaScript statements in-between. Attackers inject the malicious code into the victim’s page in order to
exfiltrate the sandbox (e.g., Same Origin Policy) of web browsers.

For more details, please read this paper:
Protection, Usability and Improvements in Reflected XSS Filters Frame Busting An iframe is a HTML tag that embeds another HTML document in the current web page. The origin of the embedding HTML document could be different to the one of the host webpage that a user is visiting.
Frame-busting is a technique that protects clients from clickjacking. It prevents web pages from being rendered inside a frame.
GT CS 6262: Network Security
One method to block client-side clickjacking is to place the following JavaScript snippet in each web
page:
Chrome Extension
You will create a Google Chrome Extension to:
• Bypass the frame busting technique used in the sample website
If you are unfamiliar with browser extension development, check out a demo extension in the demo-color-changer-chrome-extension folder.
The most important component of a Chrome browser extension is the manifest.json file. It
looks like:
{
“name”: “CS6262 Extension”,
“description”: “A simple extension”,
“version”: “1.0”,
“permissions”: [
“tabs”,
“notifications”
],
“background”: {
“scripts”: [“frame_buster.js”],
“persistent”: false
},
“browser_action”: {
“default_title”: “Does something”,
“default_icon”: “icon.png”
},
“manifest_version”: 2
}

Part 1 Grading
General Requirements
• Do not use the “sandboxing attribute” of the browser to bypass the frame buster. Doing so will result in zero credit.
• Your extension must not pop up any kind of alerts which requires user interaction.
• You may use automatic notifications but no JavaScript alerts.
• Pop-ups that require user interaction will result in zero credit.
• Please make sure the page can be loaded within 3 seconds, otherwise will result in zero credit.
• Do NOT hardcode any URLs in your source code. Your extension should work for ANY website if the same vulnerability is present. Otherwise, a 10 point penalty will be applied to your project grade.
• Your extension must work for the original Google Chrome in the given VM. We will not grade your extension outside the VM nor with other versions of Google Chrome in any different
environment.
GT CS 6262: Network Security
• No external libraries are allowed.
XSS Requirements
• You may not use the same XSS attack on multiple inputs. Each attack must be unique!
• Hard coded ‘Success’ is prohibited and will result in a 0.
• Your three answers should be placed on three separate lines in xss_attacks.txt
• Code must be executable.
• Must use alert in payload.
Frame Bust Requirements
• Your extension must not modify the appearance of the framed page. It should look exactly the same, pixel-by-pixel. Otherwise, a 10 point penalty will be applied to your project grade.
• Remove all references to files other than frame_buster.js from your manifest.json. You should not reference any other file like icon.png etc. Referencing files other than frame_buster.js may result in a 0 for this portion.
Deliverables
• manifest.json
• xss_attacks.txt
• frame_buster.js

Part 2: GTShop Vulnerabilities – (50 points)
Overview
The objective of this part is to help you understand some vulnerabilities that can be exploited in websites in a practical fashion.
You will be exploiting open redirect and clickjacking vulnerabilities. This portion of the project is broken into two parts: Open Redirect and Clickjacking.
Inside the VM, open Firefox by clicking on the browser icon located near the Start Menu. The browser should automatically bring you to the GTShop web page.You should see an online store that allows you to buy products.
Note: This shop is only accessible within the VM. Accessing the URL outside of the VM will bring you to a different website.
The GTShop has several vulnerabilities, which include susceptibility to open redirect and clickjacking.
Open Redirect
Overview
Open redirect is a session management related vulnerability that redirects the user to an unchecked domain or site. Generally, this vulnerability may be benign, but it can be used as a channel to deliver
GT CS 6262: Network Security a browser exploit by redirecting users to a specifically crafted site.