Submit TWO files to Brightspace:
code_package[.tar.gz/.tar.xz/.zip], containing any requested code or script files. The names for these files will be specified in the relevant question.report.pdf, with your answers to assignment questions. At the top of the first page, include all of the following: your full name(s), your student number(s) (if you are working in a group, both members of the group must be listed), the course number, the assignment number, and the date.If you are working in a group, only one member of the group needs to submit.
This section explains the setup steps for this assignment. You do not have to submit anything for this section.
If you have completed the setup steps for Assignment 1, you will already have created a Linux virtual machine for this course on the SCS OpenStack platform. You will re-purpose that VM instance for this assignment.
Follow the instructions from Assignment 2 to rebuild your VM instance against the comp4108-w26-assignment-04 image. Once you have, connect to it and change your password.
This assignment will require the use of a custom hostname mapping, from comp4108.ca to 127.0.0.1 (localhost). This mapping will be necessary for a CSRF exploit performed in Part B. You will need to set this in the location specific to your OS.
MacOS / Linux – Add the following line to /etc/hosts as a superuser, at the very bottom of the file: 127.0.0.1 comp4108.ca
Windows – Open C:\Windows\System32\drivers\etc\hosts as an administrator, then add the following line at the very bottom of the file: 127.0.0.1 comp4108.ca
Relevant textbook sections: 10.3 (read ahead to Figure 10.6 on page 295)
Your remote VM should be running two web services for this assignment: one is bound to port 80, the other to port 3000. (We will explain what these services do in later parts.) These services are insecure and should not be exposed to the outside network—your VM only exposes port 22, for you to use the SSH protocol. To reach the two web services from your local machine, you will use what is called SSH port forwarding. Traffic sent over ports 80 and 3000 of the remote machine VM will then travel through an SSH tunnel that connects, respectively, to local ports 9999 and 3333 on your machine.
Note that an ssh client process must remain alive for port forwarding to continue working. The process will run silently in the background, but restarting your local machine, or getting a Connection reset by peer error after a period of inactivity, means you will need to set up port forwarding again.
access.scs.carleton.ca as a proxy in Assignment 1, you will need to do so here. The Assignment 1 instructions show you how to configure a jump directive depending on your client.
MacOS / Linux – Initialise a local (-L) port forwarding SSH tunnel in the background (-f) by executing the following command.
ssh -N -L 9999:localhost:80 -L 3333:localhost:3000 -f [your-VM-external-IP-address](Aside: In this command, localhost:80 and localhost:3000 will be interpreted by the remote machine's SSH daemon, relative to itself.)
localhost:80, and another rule to forward your port 3333 to localhost:3000.
Verify that your port forwarding is working correctly by navigating to http://comp4108.ca:9999 and http://localhost:3333/ui/panel. Both links should resolve to a webpage.
Note: Instructions are current as of Sept 2025.
Some of the questions in this assignment rely on specific browser protections being disabled. We recommend that you use the Firefox browser by Mozilla. (If you already use Firefox as your main web browser, consider creating a new profile for this assignment before changing your settings. The profile manager can be accessed at about:profiles, and you can consult Mozilla's documentation for the feature here.) Once the browser is installed, enter the Settings screen by clicking the menu button, then clicking Settings:
Relevant textbook sections: 9.1, 9.7
This assignment explores several classes of web-based attacks, and how these harm both browser users and service providers, with the use of vulnerable web applications. We begin with common web vulnerabilities that specifically enable a malicious client to read or modify privileged information on the hosting web server. Potential impacts range from revealing implementation details about the host process, to leaking user application data, to performing arbitrary code execution. (The OWASP Top 10 provides a regularly updated overview of the most common categories of web security threats, if you want to learn more.)
We illustrate these attacks by using the Damn Vulnerable Web Application (DVWA), a sandbox application for educating about web security threats, and their various mitigations. Each tab of the application's interface focuses on a different vulnerability, and has a configurable "Security Level" to change which mitigations are used to secure itself. DVWA is already an available service on your VM, and your port forwarding has made it accessible on port 9999, at http://comp4108.ca:9999/DVWA. To login, use the user name comp4108 and the password found in the Brightspace announcement for this assignment. (If you get a CSRF token error, try again.)
Some usage notes for DVWA:
/etc/passwd onto the page. Explain the vulnerability on this page, and how you were able to exploit it successfully.ping an IP address of their choosing.
phpinfo.php. (The PHP manual has a "Hello World" example, if you have never written a PHP file.) This new page only needs to call the phpinfo() function. Explain the vulnerability on the DVWA page, and how you were able to exploit it successfully, including the exact string you submitted. Refer to relevant parts of the DVWA source code, and any mitigations you noticed, in your explanation.
index.php file for the directory, which has a special file name that does not need to be explicitly referenced in the URL. You can navigate to index.php explicitly if that helps to situate yourself. Your phpinfo.php file should be created in the same directory where index.php sits.echo a string to the page on Security Level low first. Then, change Security Level back to medium.phpinfo.php: how might this information be useful to a malicious user of the web application?5.
user and password column values in the users table. The database (MariaDB) uses MySQL-flavoured SQL syntax. Explain the vulnerability on this page, and how you were able to exploit it successfully. Refer to specific parts of the DVWA source code in your explanation.
UNION keyword.prepare and bindParam functions is effective at preventing the original exploit.
Relevant textbook sections: 9.1, 9.3, 9.5, 9.6
This part involves two additional classes of web-based attacks, cross-site request forgeries (CSRF) and cross-site scripting (XSS) attacks. In contrast to Part A, these classes primarily involve exploiting the actions of regular users of a vulnerable web application.
A web browser will typically render a web page and execute its scripts exactly as specified by the page's host, rather than ask the browsing user before doing so. Therefore, a user implicitly trusts that a page link or action will not result in the execution of malicious code. Although modern browser security measures insulate users from many threats, various attack vectors continue to exist due to both old and new vulnerabilities in web applications.
We will again use DVWA to demonstrate a common style of CSRF attack, and effective mitigation techniques. XSS attacks are more varied in their execution, however, so we will use a different vulnerable application called XSSmh. This application is also already available on your VM, and can be accessed at http://comp4108.ca:9999/MCIR/xssmh.
11 Marks (total) For the following questions, you will run a basic web server on your local machine to serve HTML content. Create a directory to hold your HTML files called csrf-4108. Then, choose from the following two options to start a web server for files in your new directory:
http.server module to open a web server on port 5000 in your terminal: python3 -m http.server -d ./csrf-4108 5000hfs executable contained within. Once the admin panel opens:
csrf-4108 directory, and then click the Select This Folder button at the bottom of the dialog..hfs folder created in your home directory, as well as the hfs executable itself.
Once you have set up your web server, confirm that it is working by navigating to http://localhost:5000—you should see a file browser.
In a separate tab, navigate to the CSRF tab of DVWA. This page simulates a password change form where the user must enter (and then confirm) their new password. The "Change" button then submits the form to the web server.
csrf-4108 that, once opened with DVWA Security Level set to low, exploits the CSRF vulnerability on DVWA to overwrite the password of the logged-in user to a password of your choice. The exploit should occur automatically after opening the HTML file from your web server, without any further interaction from you. To confirm that your exploit worked, click the Test Credentials button on the DVWA page, and try the new password. Explain how your CSRF works, and why it was possible on this DVWA page. Submit your HTML file with your code package as b-1-csrf-low.html.
csrf-4108 that exploits the CSRF vulnerability as per the previous question, but circumventing these new mitigations. Explain how you worked around these new measures. Submit your HTML file with your code package as b-1-csrf-medium.html.9 Marks (total) Use the XSSmh web application to solve 5 of its 8 challenges relating to XSS attacks. To reach these from the application's main page, click the Challenges link below the page's title. Each challenge features an input box for you to provide text, and when you click the "Inject" button, your text will appear somewhere within the HTML of the next page. For most of these, your goal is to force a Javascript dialog, populated with a message, to display on page load using the alert() function. You may refer to an online guide on Javascript XSS strategies, but you must cite it if you do.
For each challenge, briefly describe the scenario, then provide the exact input you used in text form, and then explain how your exploit works.
Relevant textbook sections: 7.7, 7.8, 9.3, 9.5, 9.6
This part leverages a persistent XSS vulnerability in DVWA to inject a browser control script into the page. The goal is to demonstrate the extent of the control that malicious scripts can have over what a browser displays, and what actions it can be forced into taking.
We illustrate this with the use of the Browser Exploitation Framework Project (BeEF). The main purpose of BeEF is to enable penetration testers to easily test browser attack vectors. BeEF has two main components: the hook script, which is Javascript code to be executed by the victim browser, and a control panel, which acts as a command and control (C2) server. As long as the hook script is loaded on the browser, the C2 server is able to inspect the browser and deliver payloads for it to execute.
The BeEF control panel is running on your VM, and available locally on your local machine on port 3333, at http://localhost:3333/ui/panel. To login, use the same credentials that were provided for DVWA.
2 Marks Navigate to the XSS (Stored) tab of DVWA. This page features a guestbook, with a form enabling users to submit their name and a comment. This is then stored to be displayed to other visitors on the page. Exploit the injection vulnerability on this page, with Security Level set to low, such that any visitor that loads the page afterwards will automatically execute the BeEF hook script located at http://localhost:3333/hook.js. Explain how you were able to exploit this vulnerability, and include the exact string you used.
1 Mark Open a second browser instance as a private window. Load the BeEF control panel in this new browser. Submit a screenshot of the control panel showing that the first browser was hooked successfully.
1 Mark Under the Current Browser ➤ Commands tab, locate and run the Get Geolocation (Third-Party) module. Use any one of ip-api.com, geoplugin.net, or ipinfo.io as the API provider. Comment on the results: how precise was the information returned?
/DVWA/messaging/chats/1036.php on host comp4108.ca:9999. When the request completes, the response will appear as an entry under the History tab. Double-click the entry and expand the Response Body field.
Host changed to www.messenger.com and the path changed to /t/123456789. Comment on the response received: what are the limits of this feature, and why?curl command-line tool to make an authenticated HTTP request to DVWA. cURL is a lightweight tool for transferring data over a protocol such as HTTP. (For its man page, run man curl.) Depending on your OS, this can be accomplished in one of two ways.
curl on your local machine to make a request to http://comp4108.ca:9999/DVWA.curl on your VM to make a request to http://localhost:80/DVWA.curl command you used.
-L and -s will provide you with a slightly cleaner output. You can also pipe the result into grep -E "<title>.+</title>", which will return just the HTML <title> content so you can quickly identify which page you received.