++++++++++++++++ Web Demo: grades ++++++++++++++++ The "grades" web demo provides a simple grading system, where students can log in and see their grades, while a faculty member "steve" can both see and edit grades. This web site can be used to demonstrate several web security attacks, including SQL injection, CSRF and session management attacks. A. Virtual Network ================== If using virtnet (http://sandilands.info/virtnet), then a suggested topology is topology 7 (http://sandilands.info/virtnet/topologies), which contains 5 nodes: 1--- ---4 --- --- --- --- 3 --- --- --- --- 2--- ---5 node1 can act as a client running a web browser. node2 can act as another client, also running a web browser. node3 is a router. It can be used to view traffic between browser and server (e.g. using tcpdump). node4 acts as the web server for the grading system. node5 acts as another web server for a site controlled by a malicious user. If topology 7, which contains 5 nodes, does not perform well on your computer, then you may use a topology with fewer nodes (e.g. topology 5, running the browsers on node1, and both servers on node 3). The following instructions assumes you have created topology 7 and are running nodes. B. Installation =============== Setup the web server on node4: ------------------------------ 1. Start the MySQL and Apache web server sudo service mysql start sudo apache2ctl start 2. Change into the directory that contains these instructions. You are most likely already in it. If your svn base directory is in "/home/network/svn" then to change directory run: cd /home/network/virtnet/data/webdemos/grades 3. Create the "grades" directory in /var/www (using sudo, and then change ownership): sudo mkdir /var/www/grades sudo chown network.network /var/www/grades 4. Copy the web source to the above created directory: cp www/* /var/www/grades/ 5. As the root MySQL user, create a database and user (if not already created). You will be prompted for the password of the root MySQL user, which is by default "network": mysql -u root -p < grades-users.sql 6. As the newly created MySQL webdemo_grades user (which has password "network"), update the tables: mysql -u webdemo_grades -p webdemo_grades < grades-tables.sql Setup the web server on node5: ------------------------------ 7. Start the MySQL and Apache web server sudo service mysql start sudo apache2ctl start 8. Install both the "freestuff" and "ades" web sites on node5. These are needed for a CSRF attack and unvalidated redirect attacks, respectively. Login to node5 and enter the webdemos directory, then copy the web sites: cd /home/network/virtnet/data/webdemos sudo mkdir /var/www/ades sudo chown network.network /var/www/ades sudo mkdir /var/www/freestuff sudo chown network.network /var/www/freestuff cp ades/www/* /var/www/ades/ cp freestuff/www/* /var/www/freestuff/ Setup the domain names: ----------------------- 9. On all nodes, add the following lines to the /etc/hosts file: 192.168.2.21 www.myuni.edu 192.168.2.22 www.freestuff.com 192.168.2.22 www.myuni.edu.gr If you are using a topology other than topology 7, than you need to modify the IP addresses above (to the IP address of the nodes running the web server for the grades website and the freestuff website, respectively). Setup Lynx ---------- 10. Its suggested to make use of the text-based browser Lynx in some attacks. To configure Lynx to save cookies in a file, do the following on the nodes that will: run a browser (node1 and node2) cp /home/network/virtnet/data/webdemos/grades/lynx.cfg /home/network/ C. Starting the Demo ==================== On node1 visit http://www.myuni.edu/grades/ Either Lynx or Firefox (or similar) maybe used as the browser in most attacks. However for the analysis and modification of cookies in the Login attack, it is recommended to use Lynx (as it is very easy to edit cookies). For the CSRF attack it is recommended to use Firefox (as it displays images). If you are using Lynx on node1, you visit the website by typing the following on the terminal: lynx -cfg=lynx.cfg http://www.myuni.edu/grades/ Use the Up/Down arrows to traverse the links in the page and Right arrow to follow the link. Basic instructions are included in the Help on the web site. If you are using Firefox (or another GUI-based browser), then you must run it on your host machine and then use a proxy to redirect your requests to node1. See: http://sandilands.info/sgordon/accessing-virtualbox-guests-using-ssh-winscp-tunnelling#browser D. Updating and Changing Demo ============================= If you've made changes to the web pages and/or data in the database and you want to revert to the original demo then simply repeat the installation steps 2, 4 and 6. If you want to edit the data loaded into the database (e.g. change usernames/passwords, add different initial grades) then edit the file grades-users.sql in a text editor (it is a set of SQL statements). Then repeat step 5 from the installation instructions. E. Capturing Traffic ==================== With topology 7, node3 acts as a router: all traffic between browsers and servers pass through node3. To see the traffic details you can run tcpdump on node3. One way to use tcpdump is to write the captured packets to a file, then when finished transfer the file to your host and open in Wireshark. To capture on node3 with tcpdump: sudo tcpdump -i eth1 -w file.cap Another way to use tcpdump is to display packet information directly in the terminal (without writing to a file). There are many formats and filters for displaying packets. A useful one is to display all HTTP messages: sudo tcpdump -i eth1 -A -n 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'