FIT3173 Software Security Assignment 2 (S1 2023)


Total Marks 50

Due on May 12, 2023, Friday, 11:55 pm

1   Overview

The learning objective of this assignment is for you to gain a first-hand experience on how to exploit SQL injection and cross-site scripting vulnerabilities as discussed in this module. All tasks in this assignment can be done on“SeedVM”as used in labs. Please refer to Section 2for submission notes.

2   Submission

You need to submit a lab report (one single PDF file) to describe what you have done and what you have observed with screenshots whenever necessary; you also need to provide explanation or codes to the obser- vations that are interesting or surprising. In your report, you need to answer all the questions listed in this manual. Please answer each question using at most 200 words. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-FIT3173- Assignment, e.g., HarryPotter-12345678-FIT3173-Assignment.pdf.

All source code, if required, should be embedded in your report. In addition, if a demonstration video is required, you should record your screen demonstration with your voice explanation and upload the video to your Monash Google Drive or any online service which allows you to share videos.  The shared URL of the video should be mentioned in your report wherever required. You can use this free tool to make the video: https://monash-panopto.aarnet.edu.au/ ; other tools are also fine. Then, please upload the PDF file to Moodle. Note: the assignment is due on May 12, 2023, Friday, 11:55 pm.

Late submission penalty: 10 percent deduction per day (5 Marks). If you require a special con- sideration, the application should be submitted and notified at least three days in advance.  Special Considerations are handled by and approved by the faculty and not by the teaching team (unless the special consideration is for a small time period extension of one or two days).

Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. University polices can be found at https://www.monash.edu/students/academic/ policies/academic-integrity

3   SQL Injection Attack – Using SQLi Lab [25 Marks]

In this part, we modify a web application called SQLi  Lab, which is designed to be vulnerable to the SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common mis- takes made by many web developers.  Your goal in this part is to find ways to exploit the SQL-injection vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that can mitigate such attacks.

The database of SQLi  Lab, named Users, can be traced and manipulated when we login to MySQL Console by using following commands:

mysql  -u  root  -pseedubuntu

show  databases;

use  Users;

describe  credential;

3.1   Warm Up: Countermeasure for SQL Injection Attacks

In the lab session, you have already conducted SQL injection attacks with SELECT and UPDATE statements. In this warm-up part, we are going to use prepared statements to tackle the above attacks.  We will use UPDATE statements as the example.

Setup Remark: You need to set the read/write permission for the seed user on the current website directory before doing this task by following the below commands on your terminal. Note that the . is important to indicate the path to the current directory.

$  cd  /var/www/SQLInjection/

$  sudo  chmod  -R  777   .

In this task, you need to enable the prepared statement as a countermeasure against the SQL injection attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1.

$sql  =  "SELECT  id,  name,  eid,  salary,  birth,  ssn,

phoneNumber,  address,  email,nickname,Password

FROM  credential

WHERE  name=  ’$input_uname’  and  Password=’$hashed_pwd’";

You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks:

$stmt  =  $conn->prepare("SELECT  id,  name,  eid,  salary,  birth,  ssn, phoneNumber,  address,  email,nickname,Password

FROM  credential

WHERE  name=  ?  and  Password=  ?");

$stmt->bind_param("ss",  $input_uname,  $hashed_pwd);


$stmt->bind_result($id,  $name,  $eid,  $salary,  $birth,  $ssn,

$phoneNumber,  $address,  $email,  $nickname,  $pwd);



Practice Task: Following the above steps to fix the SQL injection vulnerability of UPDATE statement on the Edit Profile page. Then, check whether you can still exploit the vulnerability or not.

Hint: the UPDATE statement is located in unsafe edit backend .php.

3.2   Task 1: SQL Injection via Stacked Queries [Max 25 Marks]

In this task, you need to perform SQL injection attacks to achieve different adversarial goals.

We have extended SQLi  Lab to assist you completing this task. You need to download all PHP source

files of unsafe home .php, unsafe edit frontend .php, unsafe task load .php, unsafe view order .p and unsafe tasks view .php from Moodle and place them to the same website’s directory.  For in-

stance, you can follow a below command to copy the file unsafe home .php located in /home/seed/Documents to that website’s directory.

$  su  root

Password:   (enter  root  password  "seedubuntu")

#  cp  /home/seed/Documents/unsafe_home .php  /var/www/SQLInjection/

We also upgraded the database of SQLi  Lab to enrich the website’s features.  That are, a user can add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a database script file, script .sql, from Moodle and execute it with MySQL Console before you can use these new features. For instance, you can follow the below commands to execute that script when it is stored in /home/seed/Documents. The execution will update your database scheme and insert new data as follows:

mysql  -u  root  -pseedubuntu

show  databases;

use  Users;

source  /home/seed/Documents/script .sql

• Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only  existing users in the table credential can create new tasks.

You can use the command describe  tasks; to know more information about this table scheme.

• Table preference(PreferenceID,favourite,Owner) records the task sort preference of users, in which preference(Owner) is a foreign key referring to credential(ID). Existing users can select one of the task information as their sorting preference. For instance, a following figure demonstrates how Alice can set her preference as Hours increasing. You can use the command describe  preference; to know more information about this table scheme.


• Function userIdMaxTasks() returns the ID of a user who has the maximum number of tasks in your database. In MySQL console, you can use the command select  userIdMaxTasks(); to retrieve that result.

• Function generateRandomUser() adds a new random user (with random Name and Password

to the table credential). In MySQL console, you can use the command select  generateRandomUser(); to perform this addition.

• Function getNewestUserId() returns the ID of a newly created user in the table credential.

• Stored procedure copyTasksToUser(in  userID  int(6)  UNSIGNED) copies all tasks of other users to the user having that userID. You need to make sure the user with that userID exists in the table credential before using this stored procedure.  For instance, in MySQL console, you can use the command call  copyTasksToUser(6); to copies all tasks of other users to an existing user with userID=6.

Q1: In a normal scenario, a user can add a new task multiple times and update his/her view preference with sorting by asc or desc. However, the website is vulnerable to the SQL injection attack when the user views all tasks. You can choose one of the following options to complete this task. But option 2 will allow you to obtain the full marks of this question. Note that, you will get 0 mark if you complete the task by not performing SQL injection via the web application (i.e. manipulate the database manually in MySQL console).

Option 1 (10 marks): You need to perform the attack to display all the tasks of the user who has the maximum number of tasks when you view your tasks.  Provide your video demonstration evidence to support and verify that you have performed the attack and it worked successfully. Also, brief explain how to achieve the attack goal with your solution. [Marking scheme: In your recording, 5 marks are given if the attack is running successfully, 10 marks only given if you have a solid demonstration and explanation about how you inject queries and the attack works in your case.]. You need embed your video link in your report so that the teaching team can view and verify your work.

If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note that, the second table in the figure displays the tasks of that victim.


Option 2 (15 marks): Two tasks:

1. Perform a sequence of the SQL injection attacks in order to transfer all the tasks of users to a new malicious user that you created. Note that creating that malicious user also has to be done by using the SQL injection attack. [10 Marks]

If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note that, the second table in the figure displays the malicious user who has the maximum number of tasks. The first table is blank due to no task remains for Ted user.


2. Find out the username of the malicious user, that you have created in the first step, and change its password to your student ID. Show a successful login to the application. [5 Marks]

Provide your video demonstration evidence to support and verify that you have performed the attacks and it worked successfully. Also, brief explain how to achieve the attack goal with your solution.. You need embed your video link in your report so that the teaching team can view and verify your work.

Q2 (5 marks) This question is independent from your selected option in Q1. In this question, you need to perform a SQL injection attack on SQLi  Lab to attack the performance of your MySQL server.

[Marking scheme: In your recording, 3 marks are given if the attack is running successfully, 5 marks only given if you have a solid demonstration and explanation about how the attack works in your case.]. You need embed your video link in your report so that the teaching team can view and verify your work.

Hint: you can delay the query execution or shut down your MySQL server when a user views his/her declared tasks.

Q3 (5 marks): Can the prepared statements, used in the warm-up task, mitigate a second order SQL injection attack? Why or why not? You do not need to change the PHP source files for this question, only theoratical explanation is required.  [Marking scheme: 5 marks for the solid explanation about why prepared statements can/cannot be used to mitigate second order attacks.]

4   Cross-Site Scripting (XSS) Attack – Using Elgg [25 Marks]

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demon- strate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks.  Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vulnerability by posting some malicious messages to their profiles; users who view these profiles will become victims.

4.1    Task 1: Modifying the Victim’s Profile [10 Marks]

The objective of this task is to modify the victim’s profile when the victim visits Samy’s page. We will write an XSS worm to complete the task.

1. Send a message from victim’s profile to Samy with victim’s browser cookie.

2. Add Samy as a friend in the victims profile.


We need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s browser, without the intervention of the attacker. To modify profile, we should first find out how a legitimate user edits or modifies his/her profile in Elgg.  More specifically, we need to figure out how the HTTP POST/GET request is constructed to modify a user’s profile. We will use Firefox’s HTTP inspection tool. Once we understand how the modify-profile HTTP POST/GET request looks like, we can write a JavaScript program to send out the same HTTP request. We provide a skeleton JavaScript code that aids in completing the task.

The provided code should be placed in the“About  Me”field of Samy’s profile page. This field provides two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the text typed into the field, while the Text mode does not. Since we do not want any extra code added to our attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be done by clicking on“Edit  HTML”, which can be found at the top right of the“About  Me”text field.

Q1 (10 marks): Accomplish the above attack, and provide your screenshots in your report and the corresponding explanation to support and verify that you have performed the attack and it worked successfully. [Marking scheme: 2 marks for the screenshots in the report, and 8 marks for the explanation and solutions in the report]

Hint: You may use HTTP inspection tool to see the HTTP request look like.

4.2   Task 2: Writing a Self-Propagating XSS Worm [15 Marks]

In this task, you need to create an advanced XSS worm that can propagate itself. Namely, whenever some people view an infected profile, not only will their profiles be modified, the worm will also be propagated to their profiles, further affecting others who view these newly infected profiles.

The malicious code uses DOM APIs to retrieve a copy of itself from the web page, and sends HTTP POST/GET requests to modify the others profile.  You should try to embed this code into the malicious user’s (i.e. Samy) profile in order to accomplish the above attack.

Q2 (15 Marks): You need to fill the“About Me”field in Samy’s profile with the malicious code (see the figure below), and use Alice’s account to access Samy’s page to see what happened. Then, try to use Boby’s account to access Alice’s page. Provide a video to demonstrate your observation with sufficient explanations. You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works.

[Marking scheme: In your recording, 5 marks are given if the attack is running successfully, 10 marks are only given if you have a solid demonstration and explanation about how the attack works]

Note: A partially filled code is providedfor this task.



This assignment are based on the SEED project (Developing Instructional Laboratories for Computer SE- curity EDucation) at the website http://www.cis.syr.edu/ ˜wedu/seed/index.html.