School of Computing and Information Systems COMP90074: Web Security Assignment 1 Due date: No later than 11:59pm on Sunday 5th April 2020 Weight: 12.5% Marked out of 100 Grading This assignment is worth 12.5% of the total subject score. Note the hurdle requirement: Students must obtain a minimum mark of 50% for Assignment 1 and 2 combined. This assignment is broken down into three parts, as detailed below: 1. XSS → LocalStorage stealing (33%) 2. XSS → Scrape page → API AJAX call (33%) 3. Subdomain Takeover (GitHub Pages) → Logging → Get flag from logs (34%) Submission This assignment is an individual assignment, no collaboration is allowed. Plagiarism is taken very seriously and will be dealt with in accordance with university policies. If in doubt, please ask the lecturer. To submit the assignment, please provide a document including identification of the vulnerabilities, how they were exploited, how the listeners were set up, payloads used to exploit the vulnerabilities, and any code used throughout the assignment. Also, provide an explanation for all of the above, ensuring that we can verify your understanding. Submit this document as a zip file with all code in separate files, clearly referenced in the document. This is to be submitted via Canvas. Part 1 (33%) XSS → LocalStorage stealing XYZ Corporation has engaged you as a Penetration Tester to perform a security assessment on their website. The website is currently under development and due to some programming mistakes, has a few security vulnerabilities. Your task is: 1. Visit the website (http://chall1.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. XSS 3. Use the vulnerability to exploit the following: a. LocalStorage stealing 4. Document your findings with full details and screenshots so that XYZ Corporation can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall1.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc). No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. Part 2 (33%) XSS → Scrape page → API AJAX call XYZ Corporation has engaged you as a Penetration Tester to perform a security assessment on their website. The website is currently under development and due to some programming mistakes, has a few security vulnerabilities. Your task is: 1. Visit the website (http://chall2.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerabilities: a. XSS b. CSRF bypass 3. Use the vulnerabilities to exploit the following: a. DOM stealing extracting the CSRF token b. Perform the API call using the CSRF token 4. Document your findings with full details and screenshots so that XYZ Corporation can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall2.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc). No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. Part 3 (34%) Subdomain Takeover (GitHub Pages) → Logging → Get flag from logs (34%) XYZ Corporation has engaged you as a Penetration Tester to perform a security assessment on their external infrastructure. The infrastructure is very old (legacy) and some old applications have been removed. Some of the security staff may have forgotten to remove the DNS records. Your task is: 1. Visit the website (http://.unimelb.life, e.g. if your username is hello, then the URL is hello.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. Subdomain takeover 3. Use the vulnerability to log victim user’s information. This logging will occur on the root domain, e.g. http://.unimelb.life/?flag=example 4. Document your findings with full details and screenshots so that XYZ Corporation can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc). No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. Note: Attacking another website outside of your own username will result in serious penalties. Assume it is unauthorised, making it illegal. Grading Scheme Marks will be awarded as follows, if a student provides the required code and explanations: XSS → LocalStorage stealing (33%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify XSS 50% 50% Access localStorage 25% 75% AJAX stealing localStorage 25% 100% XSS → Scrape page → API AJAX call (33%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify XSS 25% 25% Victim’s page scraping 10% 35% Reliably extract CSRF token 35% 70% Logic of AJAX to API call 15% 85% CSRF bypass and flag stealing 15% 100% Subdomain Takeover (GitHub Pages) → Logging → Get flag from logs (34%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Perform subdomain takeover 60% 60% Log victims information 30% 90% Obtain flag from logs 10% 100%
