COMP 4108 Assignment 4

Due 11:59PM on March 27

Assignment out of 55 marks total

Submission Requirements (2 Marks)

For this assignment you will work individually.


You should submit the following TWO files:

  1. A PDF of your assignment report, including a cover page with the assignment details and your name with student number.
  2. A tar or zip file (yes, even if there is only a signle file included) containing any code or scripts that you wrote. Any included files must be referenced in the PDF report, else they will not be reviewed. See the General Page for instructions on how to create a tar file.

For each question, include the following (where applicable or otherwise unspecified):

  1. What you did (i.e., your answer to the question -- e.g., a command, action on a webpage, code run, etc.).
  2. How you did it (i.e., the exact command you ran to find the answer or complete an action if required -- e.g., Linux command line, area on a website that you went to, configuration, etc.).
  3. Your explanation of what you did and why you did it.
  4. The output or result of what you did, trimmed to include only the relevant output (i.e., cut out previous commands' text, un-needed text, etc.). This is often in the form of a screenshot.

Note that, depending on the question, some of the above requirements will not necessarily exist. Also, #1 and #2 from above can often be combined into a single screencap. Also note that some questions may explicitly state what to submit. This is to ensure you submit the correct information we're looking for, and the other requirements are expected as well (see list above).

These requirements may seem tedious and unnecessary; however, they are useful for markers to see that you completed each question, explained that you understood the question, and provided proof that the task was successfully completed.

Attention:

When in doubt, explain as much as you can. I need to see that you understand the answer and the process you used to get the answer. Not including an explanation or providing too little explanation may result in lost marks.

Introduction

Lab Setup

For this assignment you will be attacking web applications hosted on your VM. Two vulnerable web applications and an attack toolkit called BeEF have been preinstalled and configured to run on your VM.

For security purposes, your virtual machine only exposes port 22 (for SSH) to the network. Although OpenStack also opens up the HTTP port 80 and HTTPS port 443, the VM for this assignment is configured with iptables rules that block incoming connections to all but the SSH port - this has been done to prevent others from abusing your VM. Therefore, to access the web server (on port 80) and the BeEF toolkit (on port 3000), you must use SSH local port forwarding. This allows you to access services on your VM that are externally inaccessible, essentially bypassing the firewall by tunneling multiple connections through your existing secure SSH connection. To better understand this, you can think of the SSH server running on your VM as a "proxy" (exempt from all firewall rules) that can access any service on your VM, and then forward all traffic back to the SSH client running on your machine. SSH port forwarding is a common practice that is used to reduce the attack surface of a network by forcing remote users to authenticate themselves and establish an encrypted SSH tunnel through which they can access other services.

Important:
When prompted for a username/password (to log into BeEF or the DVWA vulnerable services) you should use username comp4108 and the password found here. The password to access this page with the DVWA password is the same as the one used for Assignment 2 and was posted on Brightspace in the Assignment 2 announcement.

Normally an attacker wouldn't run their instance of BeEF on the same machine they exploited to embed the hook code (See Section C, Question 1) as it would require having a shell account on the web server. To simplify this assignment BeEF has been installed on your VM alongside the vulnerable web applications. You'll have to use your imagination and pretend you were hosting BeEF locally. It's important to remember that an attacker doesn't need to install any of the BeEF toolkit onto a server to attack websites it hosts, just a script block loading the hook code. The hook code and the BeEF toolkit can be hosted anywhere.

SSH tunnels

As mentioned, your VM only exposes port 22 to the Internet and you need to access ports 80 and 3000 on the VM from your local machine. The best way to do this is by using what OpenSSH calls a "local port forward". This a type of tunnel that will enable you to map a local port on your machine to a remote port on any host that is accessible by your VM (in this exercise, the remote ports that we need to access are on the VM itself, i.e., localhost from the perspective of your VM, but generally speaking you can tunnel traffic to any IP and port combination that your VM can access).

The best place to learn about this type of forward is the SSH man page. Specifically you will want to read the section on the -L parameter (that is, dash capital L).

Using Linux or OSX you can create a local port forward using the -L parameter mentioned above with the command line ssh tool. On Windows, you can also use the command line (e.g., the Windows command-line now has an SSH client built-in, MobaXTerm, etc.), or use a GUI interface offered by, e.g., PuTTY or MobaXTerm. There are many tutorials online for configuring the GUI, such as this one, but the command-line option is recommended.

Hint:
Remember! You are trying to forward a port from your client machine to a localhost port of your VM.

Web Sec Fundamentals & Intercepting Proxies

The first rule of web application security is to never trust user input!. One of the fascinating things about web application security is just how malleable the input you provide to the server is. HTTP is an easy to learn protocol with a representation that lends itself to modification by humans. By providing malicious input that is handled improperly by the web application we can turn its own code and users against it.

To get a feel for how often untrusted input is the cause of a vulnerability class look at the OWASP Top Ten Application Security Risks 2010. Each of the 10 vulnerabilities has a fantastic summary page

OWASP also hosts detailed pages for each of the types of attacks you will be using in this assignment. The OWASP wiki pages have detailed explanations, sample exploits, as well as advice on finding and fixing the various attack types. You definitely want to read the pages for Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Command Injection and Path Traversal Attacks. Knowing some Javascript, HTML and the Document Object Model (DOM) would be useful but you should be able to succeed without deep knowledge. You are not asked to do any complex programming. The free W3Schools HTML tutorials and JavaScript tutorials might be helpful.

Burp

One of the most powerful ways to perform security testing (and even general testing in some cases!) of a web application is to configure your local machine's browser to use an intercepting proxy. Once configured to forward requests to a proxy you can use the browser to interact with a web application in normal fashion. Each request your browser makes is given to the proxy where (when enabled) the proxy will hold the request pending interaction from you. For each request you choose whether it should be dropped (never sent to the web app at all), or forwarded (to the web app). Before making the decision to forward the request you can easily edit any data before it is sent on. Editing data outside of the browser allows us to bypass ineffective (and annoying) limitations like javascript validation code and input field length limits. It also allows us to edit otherwise immutable headers automatically inserted by the browser.

For this assignment we will be using one of the most popular intercepting proxies Burp Suite. Burp is a commercial product offering a myriad of features useful for a professional penetration tester. Since we are just using the intercepting proxy feature of Burp Suite we can easily get by with the free version. The Burp suite intercepting proxy help pages detail the configuration options and basic usage.

BeEF

Often when demonstrating XSS vulnerabilities a researcher will show an alert popup created by their successful exploitation. Unfortunately this often leaves a casual observer wondering what the harm is in XSS. Even demonstrations showing cookie theft for session hijacking underplay the potential harm from an unpatched XSS vulnerability. Thanks to advances in modern browser technology (asynchronous javascript, web sockets, browser plugins, etc.) an attacker able to run javascript in your web browser from the context of an exploited website is quite powerful.

The Browser Exploitation Framework Project (BeEF) is a potent demonstration of this. BeEF is a modern attack tool built for penetration testers to leverage XSS vulnerabilities in order to create a network of browser bots. By including a hook script file that the BeEF tool provides over the network into the context of a victim page (usually by means of an XSS attack) the penetration tester is able to recruit the browsers that visit the victim page and execute the hook script. Once hooked, the browser communicates back to the BeEF command server and control panel where the penetration tester (or worse, a real attacker) can leverage plugins for interrogating the hooked browser, stealing cookies, and executing complex client-side code delivered on the fly.

BeEF even allows for transparently proxying data from the Penetration tester's machine through the hooked victim browsers. This can often allow an attacker to bypass firewall restrictions since the client will be behind the firewall and within the target network. BeEF also integrates nicely with the metasploit project, allowing for powerful client-side browser exploits. These would typically be used to break out of the limited javascript browser sandbox in order to execute native code and gain local root access.

In the last part of this assignment you will use an XSS vulnerability in one of the web applications to embed the BeEF hook script. By deliberately hooking your own browser you will get the chance to see what sorts of commands BeEF offers, and the dynamically updating interface it uses.

Part A - SSH Tunnels & Intercepting Proxy (5 Marks)

Before you can start attacking the vulnerable web applications hosted on your VM you first need to make the VM's services accessible to your local machine. This involves creating SSH tunnels for both Apache (port 80) and BeEF (port 3000). This assignment also calls for using a proxy (Burp Suite) specifically built for allowing skilled users to mangle their web traffic for testing the security of web applications. Please perform the verification steps as they are key to solving the rest of the assignment! Do not proceed until you are confident you have set your machine up correctly.

If you can't connect to BeEF, check these steps:
First, confirm that BeEF is not running by running ps aux | grep beef. If it isn't, you have two options to solve this problem:
  1. Run the following command each time you start the VM to start BeEF: /var/beef/beef
  2. Run the following script in your home directory, then reboot with the following commands (with root privileges):
sudo bash ~/fix_beef.sh
sudo shutdown -r now
If BeEF still does not work after running the above commands (again, this can be checked by running ps aux | grep beef, or via the web interface in quesion #4 below), please e-mail a TA.
  1. 1 Mark Set up a SSH tunnel to forward port 80 on your VM to port 9999 on your local machine (i.e. the one you are connecting to the VM from). Submit the command you run to accomplish this (if using Linux/OSX) or a screenshot of your PuTTY configuration (if using Windows).
  2. Verify that you can browse (from your local machine's browser) to http://localhost:9999 and see an Apache served webpage with two directories.
  3. 1 Mark Set up a SSH tunnel to forward port 3000 on your VM to port 3000 on your local machine. Submit the command you run to accomplish this (if using Linux/OSX) or a screenshot of your PuTTY configuration (if using Windows).
  4. Verify that you can browse to http://localhost:3000/ui/panel on your local machine and see the BeEF panel login page.
  5. 1 Mark Add an entry to your local machine's hosts file such that comp4108.ca is resolved to 127.0.0.1. Ensure you submit the path of the file you edited and the line you added, along with any other requirements.

    Hint:
    Wikipedia has a comprehensive table with the os-dependent location for the hosts file.

    Adding the hosts file entry allows you to fake a domain name for your VM. This is important as the Burp Proxy does not seem to intercept requests for localhost. In order to intercept requests in later steps you will need to use the comp4108.ca hostname.
  6. Verify that you can now browse to http://comp4108.ca:9999 and http://comp4108.ca:3000/ui/panel on your local machine.
  7. Download the free version of the Burp Suite to your local machine. Burp is java-based and runs on Linux, OSX, and Windows. The readme file accompanying burp will instruct you on how to run burp on your platform of choice. Once you have Burp running navigate to the proxy tab and turn intercept to on.
  8. 1 Mark Configure Firefox on your local machine to use burp as a HTTP Proxy. To do so, open the Firefox Preferences pane, and select the Advanced tab. Under Network click the Settings button. Set up a Manual proxy configuration that uses a HTTP Proxy on Port 8080 (the default Burp port) for all protocols.
  9. 1 Mark Verify when you use Firefox to visit http://comp4108.ca:9999 that the request is caught under the Burp Suite intercept tab. Try forwarding or dropping the request. Submit a screenshot of your captured request from the Burp intercept tab. You may want to turn off the intercept toggle until you need to inspect/manipulate messages.

    Hint:
    You may have better luck using Firefox to complete this assignment, as some other browsers (e.g., Chrome in particular) filter certain XSS attacks and may therefore prevent you from completing some of the challenges. NOTE: You may need to change the Browser Privacy settings to allow for cross-site cookies. To do this go to Settings > Privacy & Security > Browser Privacy and enable Custom and make sure Cookies is not selected.

Part B - Web Security 101 (36 Marks)

For each of the following questions you will exploit a vulnerability in the Damn Vulnerable Web Application (DVWA). It was written specifically to be used as a training tool to teach common web app vulnerabilities. DVWA has a configurable security level that allows you to simulate both textbook manifestations of a vulnerability class as well as commonly encountered mitigations. Poorly crafted vulnerability mitigations (e.g. incomplete blacklisting, improper input escaping, etc.) are often a roadbump that an attacker must work around.

For this assignment you should answer each question in both LOW and MEDIUM security. Start in low security so that there are fewer challenges to address in finding a solution. Once you have the low security solution working switch the security setting to medium and adapt your exploit so that it works reliably under the higher security setting.

In low security mode DVWA attempts no exploit mitigation strategies. You should stay in this security mode until you get your exploit working. Once you understand how to exploit the vulnerability consistently, change the security setting to medium. In this setting DVWA will attempt to block the most straight forward attack vectors and you will have to work around the protections.

Hint:
If you encounter a bug where the Security level will not change, clear the cookies in your local browser. The current DVWA security level is stored client-side in the cookie. Another option is to use Burp suite to intercept your requests to edit the cookie value such that only the correct security level is present. Either approach should work!
Note:
If you find that an answer works for both the Low or Medium difficulty, you are allowed to use that answer for both, but you must explain why the answer works for both. Just like any other question, failure to explain why the solution works for both difficulties will be marked as missing one (assuming you properly explain one of the two difficulties).
  1. Sign into DVWA with the username comp4108 and the password found here. The password to access this page with the DVWA password is the same as the one used for Assignment 2 and was posted on Brightspace in the Assignment 2 announcement. Note: You need the password from Brightspace to access the DVWA password at the link in the preceding sentences.
  2. Exploit the DVWA Command Execution vulnerability to read the contents of the file /var/www/secret_a.txt. You must get the contents of this file through the DVWA application by crafting a suitable command injection for the vulnerable page. Provide a description of the vulnerability (referencing lines in the DVWA source code), the contents of secret_a.txt and your exploit. For the medium security solution, describe how you had to adapt your low security solution to bypass any protections.
    2 Marks for Low Security Solution
    3 Marks for Medium Security Solution

    Hint:
    You can view the PHP source code of the vulnerable page you are on using the View Source button at the bottom right of the page Important: the code changes when the security level changes. When you are trying to adapt your low security solution for the medium security level be sure to focus on how the code is different on each security level.
    Hint:
    Think about bash shell fundamentals. How can you run two commands at once? What about combining the output of one command as the input to another? Have you seen any syntax tricks in previous assignments in bash scripts/solutions that might be helpful? Maybe some OWASP documentation will inspire you.
  3. On your local machine create a bare bones HTML file that exploits the DVWA Cross Site Request Forgery vulnerability. Whenever a user who has previously signed into DVWA opens your HTML file it should change their password to something of your choosing. The exploitation should happen automatically, and without user action/choice when your HTML page is loaded. Test your exploit by:
    1. Signing into DVWA using your local machine web browser (if you haven't already). This will get you a session cookie for DVWA so that you can pretend to be a victim of the CSRF exploit you wrote.
    2. Closing the DVWA tab/window (not necessary, but helps demonstrate the attack happens regardless of whether the victim has the vulnerable page open).
    3. Loading your exploit HTML file in your local browser. Remember, no input allowed!
    4. Returning to DVWA, logging out, and trying to log back in using the new password
    If your exploit works successfully then you were able to log back into the account using the NEW password that your exploit was programmed to use. Now imagine that you found a similar vulnerability in a more popular website and lured users of that website to your exploit page. CSRF is a powerful attack vector!

    In your submission, provide a description of the vulnerability (referencing lines in the DVWA source code and the role of cookies), a description of the exploitation process, and your exploit. For the medium security solution, describe how you had to adapt your low security solution to bypass any protections.
    2 Marks for Low Security Solution
    3 Marks for Medium Security Solution

    Hint:
    Remember that once your attack succeeds you won't be able to log back in using the comp4108 user and the old password! You will have to use your new password or change it back to the default after you demonstrate your attack.
    Hint:
    You may find the Burp interceptor useful to inspect and manipulate what is sent to the server.
  4. 2 Marks CSRF is made possible due to an insufficient implementation, or lack of, which security principle(s) from Chapter 1.7 of the course textbook? Given the principle(s) name and number, along with a brief explanation of why you selected the principle(s).
  5. 2 Marks The general idea of same-origin policy (SOP) (discussed in Chapter 9.4 and here) is in the spirit of which principle(s)? Given the principle(s) name and number, along with a brief explanation of why you selected the principle(s).
  6. Exploit the DVWA File Inclusion vulnerablity to include the contents of the file /var/www/secret_b.php. Provide a description of the vulnerability (referencing lines in the DVWA source code), a description of the exploitation process, and your exploit. For the medium security solution, describe how you had to adapt your low security solution to bypass any protections.
    2 Marks for Low Security Solution
    3 Marks for Medium Security Solution
  7. Solve each of the 8 XSS challenges on http://comp4108.ca:9999/MCIR/xssmh/challenges.htm. For each of the 8 challenges provide: a description of the vulnerability, a description of the exploitation process, and your exploit. Highlight any protections you were forced to work around, and how you did so. If you are unable to accomplish a challenge, you can receive part marks for describing how you attempted to tackle the problem.
    16 Marks. 2 per challenge

  8. 1 Mark Input sanitization is an example of following which principle(s) from Chapter 1.7 of the course textbook? Given the principle(s) name and number.

Part C - Where's the BeEF? (12 Marks)

In this section of the assignment you will be exploiting a persistent XSS vulnerability in DVWA to embed the BeEF hook script such that browsers that visit the vulnerable page are recruited into your BeEF botnet. This will require flipping between two separate browsers, one playing the part of the BeEF herder and one playing the beef being herded. Using BeEF you will have the herder machine attack the beef machine using a variety of the BeEF browser commands.


Note:
Sometimes the BeEF commands you try return useless results (e.g., the Browser Fingerprinting might not be able to gather valuable info). As the software is getting a bit old, and browsers are continually being updated, we expect some things to slowly break over time. If this happens to you, explain what you did, any explanation you can provide, and provide a screenshot of the output. I know this is an issue, so you won't lose marks if you've shown that you ran into the issue.
Hint:
There is often a delay of 2-10 seconds between executing a command in the BeEF control panel and receiving a result. Be patient!
  1. Using one browser (hereafter called the attack browser) exploit the DVWA Stored Cross Site Scripting vulnerability such that you are able to load the BeEF hook code at http://comp4108.ca:3000/hook.js into the context of the vulnerable page. Remember this is a persistent XSS vulnerability and you are exploiting a guestbook that maintains state across visits. You can exploit DVWA in low security mode only for this question, you do not need to get your exploit working in medium security mode. Provide a description of the exploitation process, and your exploit.
    2 marks
  2. On your local machine, open another web browser (Chrome, IE, Safari, etc.), hereafter called the victim browser, and visit the DVWA Stored Cross Site Scripting page that you exploited. The victim browser should now be hooked by BeEF due to the persistent XSS attack you embedded from Part C Question 1. If you do not want to use a different browser, then you should open new Private Browsing windows in Firefox to play the role of the victim browsers. BeEF is more fun with more hooked victim browsers, and each browser/private window can only be hooked once. Remember to keep the tab/window with the vulnerable DVWA page open in your victim browsers.
    3. Hint:
    If you use browser extensions like NoScript you may need to disable them temporarily for this section to work.
  3. In your attack browser load the BeEF control panel and verify that you see your hooked victim browser from Part C Question 2.
  4. Use BeEF to steal the DVWA cookie from your victim browser. Submit a description of which BeEF command(s) and features you used to accomplish the task, as well as the results generated.
    2 marks

    Just FYI:
    Stealing the cookie associated with a domain is an attractive target for an attacker. HTTP Cookies are often used for session management. If an attacker can steal your cookie for a given domain then they often gain the ability to impersonate you to that domain for the duration of your established session.
  5. Use BeEF to fingerprint the victim browser. Submit a description of which BeEF command(s) and features you used to accomplish the task, as well as the results generated. Aim to collect as much information about the victim browser as you can.
    2 marks
  6. Use BeEF to perform a fake flash update social engineering attack. Submit a description of which BeEF command(s) and features you used to accomplish the task, as well as the results generated. Also submit a screenshot of the flash update attack as seen from the victim browser.
    2 marks
  7. Use BeEF to perform a clippy social engineering attack. Submit a description of which BeEF command(s) and features you used to accomplish the task, as well as the results generated. You must also submit a screenshot of the clippy attack as seen from the victim browser.
    2 marks
  8. Use BeEF to perform a pretty theft attack using the Facebook dialogue type. Submit a description of which BeEF command(s) and features you used to accomplish the task, as well as the results generated. You must also submit a screenshot of the pretty theft attack as seen from the victim browser.
    2 marks

    9. Hint:
    You can find the pretty theft, clippy and fake flash update attacks under the BeEF command menu for a hooked browser.