Setup for injection challenges

Before you start you need to download Node.js from nodejs.org. The Hrafn app, the ad service and the analytics service are built using the Express web framework. You also need to download the source code for Hrafn and the other services.

Once you are set you should see something like the following if you execute node -v

$ node -v
v0.12.2

Just to make sure that you have npm as well

$ npm -v
2.7.4

If you unzip hrafn.zip you should get three directories

hrafn/server
hrafn/adserv
hrafn/analytics

hrafn/server

The server of the main app. Before it can be started the JavaScript libraries it uses must be downloaded and installed. You do this with npm install which should result in something like this

$npm install
passport-local@1.0.0 node_modules/passport-local
└── passport-strategy@1.0.0

passport@0.2.2 node_modules/passport
├── pause@0.0.1
└── passport-strategy@1.0.0
...

Don't worry - nothing will be installed on the system. It's all downloaded into the directory of the app itself. Once the dependencies have been installed you start the server with node index.js which should give

$ node index.js 
Node app is running on port 5000

indicating that the server is running and bound to port 5000. You can now browse to http://localhost:5000 and get Hrafn; of course since we are not running the ad service or the analytics service those won't work.

hrafn/adserv

The ad service used by Hrafn. Again you need to run npm install before you can run node adserv.js which should give

$ node adserv.js 
Node app is running on port 4999

indicating that the server is running and bound to port 4999.

hrafn/analytics

The analytics service used by Hrafn. Again you need to run npm install before you can run node analytics.js which should give

$ node analytics.js 
Node app is running on port 4888

indicating that the server is running and bound to port 4888.

Putting it all together

Now, if you start all three servers in different console windows you should now be able to play with a working version of Hrafn!

The injection attacks

Your challenge is to implement the three injection attacks we have introduced during the lecture. I realize that it may be the case that not all of you have a strong background in JavaScript or the browser API. For this reason the way the ads, the analytics and Hrafn are implemented to make use of the building blocks you need to perform the attacks. I believe that the code should be self explanatory for a reasonably experienced programmer. If there is something you don't understand ask a friend, me or Google for a solution - Mozilla Developer Network (MDN) has a lot of useful information.

The analytics service injection attack

The simplest attack is the analytics service injection attack, since you are in direct control of the code that the analytics server provides. Create an attack that sends back the credentials to the analytics server.

Files that you are allowed to modify

• hrafn/analytics/*

The ad injection attack

This attack involves creating a new ad that injects code to steal the credential and send it back to the attacker. There are two main challenges. First, with the risk of giving too much information away - note that scripts injected by modifying innerHTML creates a script node but does not automatically execute it. Second, where will you send the stolen credentials? You are not allowed to change the code of the ad server.

Files that you are allowed to modify

• hrafn/adserv/ads/*
• hrafn/adserv/public/ads/*

Note that the adserver serves the ads in the hrafn/adserv/ads/ directory in a round robin fashion in the order provided by the OS.

The XSS attack

The XSS attack is the most powerful one, since it does not require control of any of the services. In fact, since Hrafn allows you to post anonymously you don't even have to have an account. Find a way to craft a message that you post on Hrafn and that steals the credentials of subsequent logins. Can you make a user automatically post his credentials on Hrafn on login?

Files that you are allowed to modify

• None

Litterature

Open Web Application Security Project (OWASP) is a non-profit organisation that contains a lot of interesting information on vulnerabilities and protection mechanism. They also create the OWASP Top 10 list that lists the most common vulnerabilities.

For information about Cross Site Scripting (XSS) head over to http://www.cgisecurity.com/xss-faq.html. OWASP also has a cheat sheet on XSS prevention that illustrates well why the current techniques are complex.

On the topic of what the cloud and its benefits are.

A popular science text about the cloud.

On web sandboxes the article by Politz, Guha, Krishnamurthi gives good background with multiple pointers to the sandboxes themselves. It's also a very good article that describes an interesting and impressive endevour to verify the correctness of AdSafe. You can also visit their project page for more information, http://www.jswebtools.org/adsafety/.

On the topic of the dangers of third party scrip inclusion I recommend the article by Nikiforakis et al.

For information on information-flow control I recommend the following article written for the Marktoberdorf summer school 2011 as a starting point. It contains references to many of the standard works on both static and dynamic information-flow control.

For information about dynamic taint tracking I recommend the following technical report by Benjamin Livshits

For information on the fundamentals of dynamic information-flow control I recommend the following two articles

For information on how to construct policies in the presence of mutual distrust I recommend, e.g.,

For decentralized policies in the web setting see, e.g.,

Work relating to JSFlow

If you are interested in JSFlow and its foundations those are the articles that provide the foundations. This is the same list as on the JSFlow main page.