Reminder: Cyber activities that involve unauthorized access, data modification, data destruction, or other malicious actions are prohibited by US Code, Colorado State Law, Uniform Code of Military Justice (UCMJ), and the Cadet Site Picture.

Preparation

Complete the following instructions before attempting an SQL injection or cross-site scripting (XSS) attack. You need only complete these steps once.

  1. Download the “sitting duck” and “armored duck” files to your computer (https://bit.ly/2Ns2IgL).
  2. Unzip the archive and place the security directory in the ~/public_html directory on your virtual machine (VM).

  3. Execute the create-database.sql script – e.g., use the MySQL command-line client from the terminal:

    sudo mysql < create-database.sql

    This command instructs the mysql client to execute all the SQL statements in the file create-database.sql (obviously you must execute this command when in the same directory as this file). A lack of error messages indicates that the SQL statements executed successfully.

  4. Change the permissions and group on the security directory. Enter the following commands in the terminal to perform this task:

    sudo chgrp www-data ~/public_html/security/
chmod g+w ~/public_html/security/

Instructions

SQL Injection

Be sure to complete the preparation instructions before attempting this activity.

  1. Use an SQL injection against sitting-duck.html to gain access to the “admin” and “user” accounts without using a password

    Entering invalid data, specifically values that contain an unmatched single quote, results in the SQL statement being displayed – e.g.,

    SELECT * FROM Accounts WHERE (Username='admin') AND (Passcode=''')

    From this query, it is straightforward to construct values that will permit access. Specifically, the passcode condition should evaluate to a true expression. One example is as follows:

    Field Value
    Username admin
    Password ’ OR TRUE) --

    being sure to include a space after the --, which signifies an end-of-line comment in SQL. When inserted into the prior query, the result is as follows:

    SELECT * FROM Accounts WHERE (Username='admin') AND (Passcode='' OR TRUE) -- ')

    where the password validation is now a tautology (followed by a comment).

  2. Try to use an SQL injection against armored-duck.html to bypass the need for a password.

    • The “armored” version uses prepared statements to defeat SQL injections.
    • Check the “Strip Slashes” and “Real Escape Sequences” check boxes to see what they do to the user inputs

Cross-Site Scripting (XSS)

Be sure to complete the preparation instructions before attempting this activity.

  1. Open sitting-duck.html and enter <script>alert("I am here.");</script> in the “User Data” field.
  2. Open armored-duck.html.
    1. Enter <script>alert(document.cookie);</script> in the “User Data” field with just the “Store Data” option checked.
    2. Enter <script>alert(document.cookie);</script> with the “HTML Special Characters” and “Store Data” options checked.
    3. Try these inputs with other options checked.
      • How might you use this information to counter attacks on your web application?
      • How were these log entries produced from armored-duck.php?