Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 15f7e6d

Browse files
committed
progress
1 parent a148199 commit 15f7e6d

File tree

17 files changed

+168
-25
lines changed

17 files changed

+168
-25
lines changed

‎exercises/00/problem.md‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@ You can see the exercies you'll need to complete listed to the left.
88

99
You are currently running a local HTTP server that's serving this workshop website to you. Look up at the URL bar of your browser. You can see the hostname (<script>document.write(window.location.hostname)</script>) and port (<script>document.write(window.location.port)</script>) of the local server.
1010

11-
In addition to this workshop server, you are running many local HTTP servers which are vulnerable to attack in various ways. Most of the exercises you will complete involve attacking or defending these vulnerable local servers. For security, these local HTTP servers are only listening on the local interface (`127.0.0.1`) and should not be accessible to other users on your local network. This means that folks connected to e.g. the same cafe Wi-Fi as you cannot connect to `http://<your-local-ip-address>:<port>` and try to attack these vulnerable local servers.
11+
In addition to this workshop HTTP server, we've also running many other local HTTP servers which are vulnerable to attack in various ways. Most of the exercises you will complete involve attacking or defending these vulnerable local servers. For security, these local HTTP servers are only listening on the local interface (`127.0.0.1`) and should not be accessible to other users on your local network. This means that folks connected to e.g. the same cafe Wi-Fi as you cannot connect to `http://<your-local-ip-address>:<port>` and try to attack these vulnerable local servers.
1212

1313
## What is your goal?
1414

15-
Since we're doing client-side attacks in this assignment, your goal is to come up with "attack inputs" that when entered into websites vulnerable to cross-site scripting (XSS) attacks you are able to execute any code you want in the victim's browser. Usually, this will involve you testing the "attack input" by entering it into a form input field, or as a URL parameter, etc. Once you can execute code in the victim's browser, you can prove this by calling the `success()` function that we've created for you. Remember to save the "attack input" you produced into the
15+
Since we're doing client-side attacks in this assignment, your goal is to come up with "attack inputs" that when entered into websites vulnerable to cross-site scripting (XSS) attacks you are able to execute any code you want in the victim's browser. Usually, this will involve you testing the "attack input" by entering it into a form input field, or as a URL parameter, etc. Once you can execute code in the victim's browser, you can prove this by calling the `success()` function that we've created for you. Remember to save the attack inputs which you produce into the`SOLUTIONS.md` file. This is what you will submit for grading.
1616

1717
## A quick note for the devious among you (all of you?)
1818

‎exercises/01/problem.md‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ Find a way to inject a `<script>` tag into your competitor's site. Once you find
1616

1717
Since this is a Reflected XSS attack, take note of the fact that the URL of the victim site contains a URL-encoded version of your "attack input".
1818

19-
If you were truly evil, you could share that URL on social media and when innocent users click the link, your attack code should execute in their browsers, wreaking havoc. You could exfiltrate their cookies and log in as them, or take actions on their account, inluding deleting it. They'll have trouble raising their next round from investors when their user numbers start going down and to the right! 🤣📉🤣 Noobs!
19+
If you were truly evil, you could share that URL on social media and when innocent users click the link, your attack code should execute in their browsers, wreaking havoc. You could exfiltrate their cookies and log in as them, or take actions on their account, including deleting it. They'll have trouble raising their next round from investors when their user numbers start going down and to the right! 🤣📉🤣 Noobs!
2020

2121
You should try copying this URL and opening it into a new tab and confirm that your attack code runs immediately when the page is loaded. This is the power of Reflected XSS!
2222

‎exercises/09/problem.md‎

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,36 @@
1+
Your competitor is finally fed up with the lackluster results from the UC Berkeley graduate and decide to hire a student who has completed CS 253: Web Security. They are able to quickly implement a foolproof `htmlElementEscape()` function which defeats your shenanigans once and for all.
12

3+
Please read the code for `htmlElementEscape()` and ensure you understand how it works in detail.
4+
5+
```js
6+
function htmlElementEscape (str) {
7+
return str
8+
// Without the '<' character, no HTML tags an be created.
9+
.replace(/</g, '&lt;')
10+
11+
// This is not for security, but because '&' is the HTML escape character
12+
// and we don't want the user's input to be treated as an escape sequence.
13+
.replace(/&/g, '&amp;')
14+
}
15+
```
16+
17+
Now all your competitor needs to do is call this function whenever they put untrusted data directly into the HTML body somewhere. This includes inside normal tags like `div`, `p`, `b`, `td`, etc.
18+
19+
So, their updated route handler code probably looks something like this now:
20+
21+
```js
22+
router.get('/search', async (req, res) => {
23+
let q = req.query.q
24+
if (q == null) q = ''
25+
26+
q = htmlElementEscape(q)
27+
28+
const results = await getResults(q)
29+
res.render('hackoogle-search-page', { q, results })
30+
})
31+
```
32+
33+
Dang, it seems we're out of luck.
234

335
<iframe src='http://localhost:4090'></iframe>
436

‎exercises/09/server.js‎

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,15 +11,18 @@ router.get('/search', async (req, res) => {
1111
let q = req.query.q
1212
if (q == null) q = ''
1313

14-
q = q
14+
q = htmlElementEscape(q)
15+
16+
const results = await getResults(q)
17+
res.render('hackoogle-search-page-2', { q, results })
18+
})
19+
20+
function htmlElementEscape (str) {
21+
return str
1522
// Without the '<' character, no HTML tags an be created.
1623
.replace(/</g, '&lt;')
1724

18-
// This is not for security, but because '&' is the escape character and we
19-
// don't want the user's input to be treated as an escape sequence by
20-
// accident.
25+
// This is not for security, but because '&' is the HTML escape character
26+
// and we don't want the user's input to be treated as an escape sequence.
2127
.replace(/&/g, '&amp;')
22-
23-
const results = await getResults(q)
24-
res.render('hackoogle-search-page', { q, results })
25-
})
28+
}

‎exercises/common/hackoogle-logo.ejs‎

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,4 @@
1-
<span class='blue'>H</span><span class='red'>a</span><span class='yellow'>c</span><span class='green'>k</span><span class='red'>o</span><span class='yellow'>o</span><span class='blue'>g</span><span class='green'>l</span><span class='red'>e</span>
1+
<!-- <span class='blue'>H</span><span class='red'>a</span><span class='yellow'>c</span><span class='green'>k</span><span class='red'>o</span><span class='yellow'>o</span><span class='blue'>g</span><span class='green'>l</span><span class='red'>e</span>
2+
-->
3+
4+
<span class='blue'>Cal</span><span class='red'>o</span><span class='yellow'>o</span><span class='blue'>g</span><span class='green'>l</span><span class='red'>e</span>
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
<%- include('head') -%>
2+
3+
<div class='search-page'>
4+
<div class='header clearfix'>
5+
<h2 class='logo'>
6+
<a href='/'>
7+
<%- include('hackoogle-logo') %>
8+
</a>
9+
</h2>
10+
11+
<form action='/search'>
12+
<input class='search' type='text' name='q' value='<%= q %>' />
13+
<button type='submit'>Search</button>
14+
</form>
15+
</div>
16+
17+
<h3>Results for <%- q %>:</h3>
18+
19+
<p>Our results are the best! If you don't believe us check out the competition:</p>
20+
21+
<ul class='competition'>
22+
<li>
23+
<a href="https://www.youtube.com/watch?v=pxw-5qfJ1dk" target="_blank">
24+
<img src="Stanfoogle.gif" alt="Search for <%- q %> on Stanfoogle" />
25+
</a>
26+
</li>
27+
28+
<li>
29+
<a href="https://www.youtube.com/watch?v=kxopViU98Xo" target="_blank">
30+
<img src="cornelly.png" alt="Search for <%- q %> on Cornell.ly" />
31+
</a>
32+
</li>
33+
34+
<li>
35+
<a href="https://www.youtube.com/watch?v=SQoA_wjmE9w" target="_blank">
36+
<img src="hrvrdio.png" alt="Search for <%- q %> on Hrvrd.io" />
37+
</a>
38+
</li>
39+
</ul>
40+
41+
<div class='results'>
42+
<% results.forEach(result => { %>
43+
<p class='result'>
44+
<a class='title' href='<%= result.url %>'><%= result.title %></a>
45+
<a class='link' href='<%= result.url %>'><%= result.url %></a>
46+
</p>
47+
<% }) %>
48+
</div>
49+
</div>
50+
51+
<%- include('foot') -%>

‎exercises/common/head.ejs‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,10 @@
1010
</head>
1111

1212
<body>
13+
<input type='hidden' class='exercise-id' value='<%= exerciseId %>'>
1314
<nav class='iframeNav'>
1415
<div class='home'></div>
16+
<div class='newtab'></div>
1517
<form class='urlForm'>
1618
<input class='url'></div>
1719
</form>

‎exercises/common/server.js‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ module.exports = {
44

55
const express = require('express')
66
const Router = require('express-promise-router')
7-
const { join } = require('path')
7+
const { basename,join } = require('path')
88

99
const COMMON_PATH = __dirname
1010
const ROOT_PATH = join(__dirname, '..', '..')
@@ -24,6 +24,7 @@ function createServer (port, serverDirname) {
2424

2525
router.use(async (req, res) => {
2626
res.set('X-XSS-Protection', '0')
27+
res.locals.exerciseId = Number(basename(serverDirname))
2728
return 'next'
2829
})
2930

‎exercises/common/static/cornelly.png‎

38 KB
Loading[フレーム]

‎exercises/common/static/hackoogle.css‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,3 +101,7 @@ button {
101101
color: #1a0dab;
102102
text-decoration: none;
103103
}
104+
105+
.competition img {
106+
width: 150px;
107+
}

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /