JavaScript代写 | CS6262 Project Advanced Web Security


Project 2: Write-up – Spring 2019 – Google Docs
CS6262 Project 2: Advanced Web Security
Spring 2019
Download the virtual machine for this project via one of the following links:
● Mirror #1:
● Mirror #2:
● Mirror #3:
Md5: 27a02e66974bb358d5297e0f1e762da4
Import the OVA file into the latest version of VirtualBox.
You are provided with a user account to log into this virtual machine. The credentials are:
You can use sudo if you need to install additional software like your favorite text editor. However, do NOT update any existing packages via apt-get or the dialog shown below.
If you accidentally updated packages, you need to restart with a fresh copy of the VM.
user 1/16

Project 2: Write-up – Spring 2019 – Google Docs
Part 1: Browser Extension (50 points)
The goal of this part is to help you understand how you can create a browser extension to defend against some well-known web application vulnerabilities. Browser extensions are small pieces of software that are installed in the browser to provide additional user functionalities.
A browser extension comes with a set of functionalities. It can modify the DOM of the page you visit, modify or block a web request, access user cookies, or execute a script in the context of the web page.
In this part, you will be writing a Chrome-based extension to detect and block a whole script XSS injection and bypass some client-side web-defense techniques.
This part involves creating a Chrome extension and using regular expressions to detect whole script XSS and bust frame-busting techniques.
Whole Script XSS
A whole script attack vector consists an opening and closing script tag with JavaScript statements embedded between the tags. Attackers inject the code into the victim’s page.
To learn more about the whole script XSS, read this paper:
Protection, Usability and Improvements in Reflected XSS Filters
</script> 2/16

Project 2: Write-up – Spring 2019 – Google Docs
Frame Busting
An iframe is an HTML tag that allows embedding HTML content in a frame inside a normal HTML document.
Frame-busting is a technique that protects clients from clickjacking. It prevents web pages from being rendered inside a frame.
One method to prevent client-side clickjacking involves placing the following JavaScript snippet in each page:
Chrome Extension
The most important component of a Chrome browser extension is the manifest.json file. Here is a sample manifest.json file:
if (top != self) top.location.href = location.href; </script>
“name”: “CS6262 Extension”, “description”: “A simple extension”, “version”: “1.0”,
“permissions”: [
], “background”: {
“scripts”: [“background.js”],
“persistent”: false },
“browser_action”: {
“default_title”: “Does something”, “default_icon”: “icon.png”
“manifest_version”: 2 }
There are various keys like browser_action, permissions, and background. You must include these keys as one of the requirements of this extension.
For further information about the structure of a typical Chrome extension, refer to this link: 3/16

Project 2: Write-up – Spring 2019 – Google Docs
The manifest.json file may contain other files as necessary. For instance, in the above sample, background.js is a file included in manifest.json. This will be similar to how you will create and reference your xss_detector.js and frame_buster.js files. The former should deals with the XSS detection and blocker parts while the latter contains bypassing the frame busting script.
For further reading, refer to Task
Download and unzip the Part 1 skeleton files:
Mirror #1: Mirror #2:
md5: b9b498e8961647a500490427136d7d3b Create a Google Chrome extension to:
● Detect and block whole script XSS injection
○ The first step is detecting the whole script attack vectors. You should write a
regular expression to catch all possible attack vectors which can be used in
the input fields of a web page.
○ You can write the background JavaScript file (as a part of the
manifest.json) in such a way that it takes the URL as well as any POST data associated with the request and uses the regular expression(s) to identify the XSS attack vectors.
○ Use webRequest and webRequestBlocking APIs. You should be working with the chrome.webRequest.onBeforeRequest.addListener function under which your whole script should be written for the detection of XSS.
● Bypass the frame busting technique used in the sample website
If you are not familiar with browser extension development, check out the demo color
changer Chrome extension in the demo-color-changer-chrome-extension folder. Sample Inputs for XSS Detection
Below is a subset of inputs that we will test. You need to create your regular expression(s) in such a way that all kinds of crafted attack vectors made by tweaking the script tags are detected. Any input which would result in executing a user entered script should be blocked.
Examples That Must Be Blocked
<script> alert(); </script>
<script/src=test.js></script> 4/16

Project 2: Write-up – Spring 2019 – Google Docs
<script src=test.js></script>
<div><script> alert(); </script></div>
Examples That Must Pass
In general, if the Chrome browser in the VM executes a particular whole script attack vector, then you must block it.
You can test the XSS part of the extension for both GET and POST methods by using this sample test website:
When you open Google Chrome, you must turn off the default cross-site scripting protection. To do so, execute the following command in a terminal to open the browser:
Note that the test website does NOT return whether you handled the input correctly or not. If Chrome blocks the page, then that means your extension blocked the input that you tested with.
You only need to worry about blocking whole script attack vectors. These include both opening and closing script tags.
Partial script attack vectors (self-closing tags) should pass.
<< ScRiPT >alert(“XSS”);//<</ ScRiPT >
<!– <script>alert(“meow”);</script>–>
/usr/bin/google-chrome –disable-xss-auditor 5/16

Project 2: Write-up – Spring 2019 – Google Docs
Example of Successful Whole Script Attack Block
Sample Website with Frame Buster
● Under the frame directory, there are two pages: ○ frame-busting-page.html
○ index.html
● Your extension (which contains frame_buster.js) should bypass the frame
busting technique and frame the frame-busting-page.html page into the index.html’s (under frame directory) iframe. 6/16

Project 2: Write-up – Spring 2019 – Google Docs
Example of Successful Frame Buster Buster
● Do not use the “sandboxing attribute” of the browser to bypass the frame buster. Doing so will result in zero credit.
● Your extension must not pop up any kind of alerts which requires user interaction.
○ You may use automatic notifications but no JavaScript alerts.
○ Pop-ups that require user interaction will result in zero credit.
○ Please make sure the page can be loaded within 3 seconds, otherwise will
result in zero credit.
● Do NOT hardcode any URLs in your source code. Your extension should work for
ANY website if the same vulnerability is present. Otherwise, a 10 point penalty will
be applied to your project grade.
● Your extension must work using the original version of Google Chrome provided in
the VM. We will not grade your extension outside the VM.
● No external libraries are allowed.
● Both parts (XSS and Frame Busting) cannot conflict with each other. For example, if
there is no frame busting code on a website, then the frame buster buster should do nothing.
● You must assign a regular expression to the variable start_script_re and use it in your code. Otherwise, a 5 point penalty will be applied to your project grade. Using the variable end_script_re is optional. 7/16

Project 2: Write-up – Spring 2019 – Google Docs
● You may NOT define additional regular expressions besides the ones assigned to start_script_re and end_script_re. Otherwise, a 10 point penalty will be applied to your project grade.
● You may NOT preprocess the input. This includes but is not limited to removing spaces, replacing characters, replacing strings, and performing regex replacements. Otherwise, a 10 point penalty will be applied to your project grade. The only pre-processing you can do is replace `+` with a single whitespace and also allow decoding the URI.
● start_script_re must match the start script tag. Otherwise, a 5 point penalty will be applied to your project grade.
● If end_script_re is used, it must match the end script tag. Otherwise, a 5 point penalty will be applied to your project grade.
● Do not directly copy the regular expressions from stackoverflow, otherwise a 5 point penalty will be applied to your project grade. Please explain the regular expressions you use in the comment.
● Automatically award zero credit if both regex variables returned null. Frame Bust
● Your extension must not modify the appearance of the framed page. It should look exactly the same, pixel-by-pixel. Otherwise, a 10 point penalty will be applied to your project grade.
● manifest.json
● xss_detector.js ● frame_buster.js
You will earn credit as follows:
Successfully bust the frame buster. We will try 20 times and award 1 point per successful result.
XSS sample input tests pass
XSS secret input tests pass 8/16

Project 2: Write-up – Spring 2019 – Google Docs
Part 2: GTShop Vulnerabilities (50 points)
The objective of this part is to help you understand some vulnerabilities that can be exploited in websites in a practical fashion.
You will be exploiting open redirect and clickjacking vulnerabilities.
Open Redirect
Open redirect is a session management related vulnerability that redirects the user to an unchecked domain or site. Generally, this vulnerability may be benign, but it can be used as a channel to deliver a browser exploit by redirecting users to a specifically crafted site.
Clickjacking is a vulnerability that overlays a transparent iframe (or other DOM objects) over another object (for example, a button) that is visible to the user. When users click on the visible object, they will be clicking on the iframe instead, which triggers a different behavior than what the user expected.
Download and unzip the Part 2 skeleton files:
Mirror #1: Mirror #2:
md5: ae9f8b51b9806359fae14cd8c73259a4
Inside the VM, open Firefox by clicking on the browser icon located near the Start Menu. The browser should automatically bring you to the GTShop web page. If not, navigate to You should see an online store that allows you to buy products.
Note: This shop is only accessible within the VM. Accessing the URL outside of the VM will bring you to a different website.
The GTShop has several vulnerabilities, which include susceptibility to open redirect and clickjacking. 9/16

Project 2: Write-up – Spring 2019 – Google Docs
Open Redirect
● The user is logged out of Task
Provide a URL in redirect.txt that redirects the user to the HDR Vision product page after he or she logs into The URL should be on the first line of redirect.txt. All other lines will be ignored by the autograder.
Example of Successful Redirect
In this part of the project, you will use clickjacking to force a user to purchase an item that the GTShop is selling without them knowing.
We have provided you with a skeleton file called clickjack.html. It renders a dummy form that contains a text field for entering a query string and two buttons. The form does nothing out of the box.
Your first task is to add functionality to the dummy form. When the user types a string in the text field and clicks on the I’m Feeling Lucky button, he or she performs a product search on the GTShop with that same query string. This should bring the user to the product search results page.
The search results page shows an Info link next to each product that was found. Clicking on the Info link brings you to the product details page.
Your second task is to modify clickjack.html such that when the user clicks on any of the Info links on the search results page, then he or she ends up purchasing the corresponding item.

Project 2: Write-up – Spring 2019 – Google Docs
● The user is already logged into
● You do not need to worry about the product Stalker Copter since it is sold out.
● There is a known bug for gtshop website, “Finals Avoider” was sold out but not inthe
description, and cannot be purchased.
● We will not add or remove products from the shop.
● The query strings we test will return at least one product.
● You only need to care about the product name and id being purchased.
● !!! IMPORTANT !!!
The browser window is maximized, and the screen resolution is set to 1366×768.
You can verify the screen resolution by clicking on the Start Menu -> Preferences -> Monitor Settings.
Finally, to copy files onto the provided vm, you can use some type of file storage service such as onedrive or google drive.
Example of Successful Exploit
User visits clickjack.html, enters a into the text field, and clicks on the I’m Feeling Lucky button.

5/25/2019 Project 2: Write-up – Spring 2019 – Google Docs
The user is directed to the search results page for the chosen query. For the project, each info link should have a translucent overlay such as the following image.
User clicks anywhere on one or more Info links on a given search results page. Visiting the My products link shows that the user purchased the corresponding product(s).

Project 2: Write-up – Spring 2019 – Google Docs
● Your exploit must work using the original version of Firefox provided in the VM.
● Displaying pop-ups that require user interaction will result in zero credit.
● You must use at least one iframe, otherwise no credit will be awarded for this part.
● The iframe in your clickjacking page must be translucent, so that it is easier for us to
grade. 10 points will be deducted if overlays are nearly transparent or difficult to
● In the real world, the attacker would make it transparent.
● Do not change the form id.
● Do not change any code between the comment tags <!– !!! DO NOT MODIFY
ANYTHING ABOVE THIS COMMENT !!! –> in clickjack.html
● Do not alter the appearance of the search form that is rendered by the
clickjack.html that we provided.
○ To test this, open the clickjack.html that we provided in one browser tab
and your clickjack.html in another tab. It should look exactly the same,
pixel-by -pixel, if you switch between the two tabs.
● Your exploit should not break the GTShop’s product search functionality.
● Your exploit should not modify the appearance of the GTShop’s search results except
for showing the translucent overlays.
○ To test this, perform a search using the GTShop site in one browser tab and
then perform a search using your clickjack.html in another tab. It should
look exactly the same, pixel-by-pixel, except for the translucent overlays.
● Your exploits must work with the original version of Firefox and the original version of
the GTShop website that we provided in the VM.

Project 2: Write-up – Spring 2019 – Google Docs
● The user should NOT be brought to the product details page after being clickjacked. We will just click on some part of the blue Info link and expect a purchase to be made in the background.
● You may not use any third party JavaScript libraries, except for JQuery. If using JQuery, you must include this one from the CDN: JQuery has to be an external reference and that we won’t include a local copy in the autograder.
● The domain is not the same as The shop is located at
● Each overlay must cover the Info link entirely. However, the width of your overlays should not exceed the Info link column.
○ Properly positioning your overlays for different search results is critical.
● Overlays for one Info link should not collide with an overlay for another Info link.
● We will perform multiple purchases of different products on a given search results
● Each item can only be purchased once on the search results page.
● We will perform multiple different queries, and your implementation must work for all
of them. These queries will not be revealed until grading is done. Points will be deducted for not adhering to the assumptions and requirements.
● redirect.txt
● clickjack.html
You will earn credit as follows:
All components of the redirect URL are correct. See nternet.doc/topics/dfhtl_uricomp.html
Search results are properly shown for the secret query strings that we test. To test this, compare your query results to the original GTShop page.
When the user clicks on the Info link of any item in the search results, he or she purchases the item that the Info link points to.
For example, if the Info link URL is detail?id=6, then Saddle is purchased.
The correct number of overlays is displayed on the search results page for all secret queries that we test.
For example, if a query returns five products, then there should only be five overlays on top of the five Info links.

Project 2: Write-up – Spring 2019 – Google Docs
Verifying File Hashes
You can verify that the skeleton files and VM were properly downloaded by comparing the resulting hash:
Academic Integrity
All submitted code must be written by you. You may, however, borrow and cite examples from the papers related to this project.
Borrowing or adapting code from other students and websites like Stack Overflow, code repositories, and other sources is strictly forbidden.
You may not discuss specific approaches or solutions to the problems. Keep your discussions at a high level. Sharing code is strictly forbidden. Note that we monitor Piazza and Slack and will report you to the Office of Student Integrity if there is a violation.
You may not share test cases with others.
As a reminder, please review the Georgia Tech Honor Code and the course policies outlined in the syllabus. If you are unsure about what is allowed or not allowed, please open a private Piazza post.
Operating System
CertUtil -hashfile filename MD5
md5 filename
md5sum filename

Project 2: Write-up – Spring 2019 – Google Docs
Deliverables Summary/Requirements There are 2 parts in total worth 100 points.
Please submit your deliverables on Canvas as separate files. Do NOT zip them.
We will grade only your last submission, and it MUST contain all of the files listed below!
Yes, that means your last submission must have 5 files!!!
Failure to follow this rule will result in a 5 point penalty on your overall project grade!
Chrome browser extension manifest file
XSS detector JavaScript file for Chrome browser extension
Framebusting bypass JavaScript file for Chrome browser extension
Open redirect file
Clickjacking HTML page
Not following the file naming convention results in a 5 point penalty per file.
We will grade your project using the original VM image that we provided and run your files on VirtualBox.
No points will be awarded for solutions that do not work in the provided virtual machine.
Do NOT submit extra files that are not listed above. They will be ignored by our autograder,
and we will NOT take them into consideration when grading.
Make sure your extension does not reference files that you are not submitting. Referencing
icon.png is fine, since we will test with our own icon.png that is in the same folder as


本网站支持淘宝 支付宝 微信支付  paypal等等交易。如果不放心可以用淘宝交易!

E-mail: [email protected]  微信:itcsdx