Homework 3: Web Security

Due: Thursday, May 5, 10:00 pm through CMS.

Everything gets written down, formally, [in a logbook] so that you know at all times where you are, where you've been, where you're going, and where you want to get. In scientific work and electronics technology this is necessary because otherwise the problems get so complex you get lost in them and confused and forget what you know and what you don't know and have to give up. —Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance

The learning objective of this homework is for you to gain hands-on experience with common vulnerabilities in web applications.

This homework is optional. If you choose to ignore this homework, it will be for you as if the homework never existed. More precisely, if you do not submit a solution to this homework, the homework component of your final grade in the course will be computed as the average of your grades on homeworks 1 and 2. If you do submit a solution, it will be graded, and the homework component of your final grade in the course will be computed as the average of your grades on homeworks 1, 2, and 3.

Teams

You must work on and submit this homework in a team of two or three students. You may not work with any students other than those in your team. Teams of size one are not allowed; you learn more when you work together.

Preparation

Caveat: the following is likely to require some system administration. I don't know any more about how to administer your system than you do. In fact, I probably know less, if only because it's yours and not mine. If you get stuck, you can employ the same strategy I would: google for documented solutions to your problem.

Download and install WebGoat, which is a

"deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson."

You'll also want to install an HTTP proxy, such as WebScarab. Note that you may need to install additional software if you lack some dependencies on your system. Pay particular attention to this warning in the Getting Started guide:

"When WebGoat is running it will make the host machine vulnerable to attack. If the machine is connected to the internet it should be disconnected."

I took the precaution of installing WebGoat inside a virtual machine, and I disconnect that virtual machine's network interface before starting WebGoat.

For what it's worth, I offer the following notes on how the installation process went for me:

• I didn't need to install Tomcat. It seems to be included in WebGoat.
• I didn't need to edit webgoat.sh, despite the instructions to do so.
• I had to use "webgoat", no capitals, as part of the URL for accessing the system after installation and startup. Not "WebGoat".
• I have been unable to git webscarab, but the bleeding-edge jar archive seems to work just fine.

Instructions

Caveat: There may be bugs in WebGoat. I don't know about them in advance, and I probably won't know how to fix them. But I still think you can profit from using it.

For a maximum grade of B+ on the homework, complete the following WebGoat lessons:

1. HTTP Basics
2. All of the lessons under the heading Parameter Tampering
3. One of the following (your choice):
   1. The Lab on SQL Injection (under the heading Injection Flaws)
   2. The Lab on Cross-Site Scripting (under the heading Cross-Site Scripting)

For a maximum grade of A+ on the homework, complete all of the above lessons, including both labs.

One feature of WebGoat is that it includes solutions for all the lessons. So you're guaranteed to be able to produce code that solves each lesson. I therefore won't be assessing you on your solution code, per se. Instead, you should keep a hacking log for each lesson. Your log should follow this template:

Hypothesis	Prediction	Experiment	Observation	Conclusion
query that retrieves username and password is vulnerable to SQL injection	inserting malicious code into control on web page named "password" will cause query structure to change	set password's value to ' OR 1=1--	application denies my login attempt	rejected
query that retrieves username and password is vulnerable to SQL injection	inserting malicious code into control on web page named "username" will cause query structure to change	set username's value to 'admin--	application logs me in as admin without requiring password	confirmed

In the example above, the hacker first tries to exploit the password field but finds that the application isn't vulnerable there. Then the hacker tries to exploit the username field and succeeds.

Also record in your log at which points you decide to access a new hint for the lesson, and at what point (if any) you decide to consult the provided solution. Your grade will not be affected by whether you look at hints or consult solutions.

For each lesson, submit a lesson report containing the following information:

• Lesson name
• Hacking log
• Solution
• Reflection

In the Reflection section, briefly summarize what you learned from the lesson.

1337 Hackers

Sorry, there will be no competition this time. It doesn't make sense with this homework.

Submission

Submit a PDF containing the lesson reports for all the lessons you completed. You will be evaluated on the quality of your reports (especially logs), as well as whether you complete one or both labs (as detailed above).