Cenzic 232 Patent
Paid Advertising
web application security lab

Hacking Your Teachers For Credit

I found this interesting link in my logs to the University of Washington’s CS department coursework. Apparently their assignment (due tomorrow) is to actually get their professors to give up their fake credentials by getting them to click on links. Pretty interesting actually! I’m surprised to see this kind of stuff being taught, but I’m really glad too, because a lot of what XSS is is input validation basics. It’s exactly the sort of thing that needs to be taught in CS classes, and it’s one that has somehow evaded most schools.

The intense irony in finding this is not lost on me though - I actually failed out of school and now my site is recommended course reading for CSE 490K (an advanced CS class). Maybe I should ask for course credit! Now don’t go and help the students! They have to learn this stuff for themselves! ;)

24 Responses to “Hacking Your Teachers For Credit”

  1. Kyran Says:

    I’m glad this is being taught. Rather excellent. The end of the assignment description even slightly points out the exploits won’t work the same in different browsers. I really hope this is a trend and more basic web security will be taught in CS classes.

  2. kuza55 Says:

    Ok, maybe I’m missing something; but what is this really testing?

    This is testing whether students can find the link to the cheat sheet, search a page for the word meta, and then write some javascript to offload the cookie to another site.

    I’m sorry, but most script kiddies can do that.

    Sure I’m glad that they’re teaching this stuff, but I see this assignment as pointless; if you’re going to assess something, make it something at least slightly difficult, like exploiting a user (any way they want) on a relatively simple site, where the user uses IE (either 6 or 7 - 6 could be more interesting, if students take advantage of unpatched browser bugs), and the cookies are set to httpOnly, and have cookies tied to the browser string/some other stuff, to make it more interesting. So that students have to either conduct a CSRF attack, or steal a user’s password programatically, or use XST to bypass httpOnly (if the browser is IE6), or use the mhtml bug to read a csrf token (without finding XSS), etc, etc, and give bonus points for originality, and have the class share their findings with each other; now that would be a useful assignment IMO, especially considering this is a supposedly ‘advanced’ class.

  3. Ronald van den Heetkamp Says:

    Haha Kuza…. :D I get your point, but what you name there are pretty advanced things, remember that even most programmers don’t understand them let alone heard of them :)

  4. kuza55 Says:

    @Ronald:
    Its called a research assignment, its an advanced course, they should be able to do research. And obviously I don’t expect anyone to be able to do that in a week (like that assignment), I’d give them a month or so, especially learning from scratch, but I also think that focusing on cookies is the worst thing one could do in any course. Its what got us into this problem of everyone only thinking about cookies and nothing else, hell it even took me a while to realise that I could do more than steal cookies, and I’d had some exposure to javascript before.

    And the excuse that most people don’t know how isn’t a good excuse.

    And being _able_ to do it isn’t really necessary either, I would think it would be enough to give a theoretical outline of the attack, even, as long as the attack *does* work, e.g. saying that they should use the mhtml bug, but finding out that one of the fixes this thread was applied: http://sla.ckers.org/forum/read.php?4,9628 wouldn’t be allowed, but it requires you to know when an attack can be conducted, which is hat people need to know.

  5. kuza55 Says:

    Just to append some further ideas to the last post; since you’d be giving the class a lengthy amount of time, since you’re not allowing overly simple hacks to work, you’d want to gather all the groups individually and talk to them about how they’re going, help them build some things, etc, maybe point them to some forums, sites, etc, but not do any actual research for them; maybe discussing things with them, if there aren’t too many groups, etc.

    Oh, and I shouldn’t be so harsh on the assessment, it does show that there are ways other than script tags and event handlers to execute javascript, and it illustrates a useful concept, but as an assignment I still things its useless, and a bit counter productive due to its focus on cookies.

  6. Alex Says:

    Wow, this should took only 2 minutes to break 3 times. But they have a week to do that …
    And I agree with Kuza.

  7. Ronald van den Heetkamp Says:

    Well while where at it, let’s through 10.000 different encoding methods on top. There is way too much infomation to grasp it all. I leran daily about new techniques and new SQL injection vectors, pretty surprising? Nah not really. Ah well, people have to start somewhere. And where does it read this is “advanced”?

    Okay, they have issues themselfs: abstract.cs.washington.edu/htbin-post/unrestricted/mailto2.pl?to=%00nmurphy;sub=%3Cscript%3Ealert(’xss’)%3C/script%3E

  8. kuza55 Says:

    The advanced bit I got from RSnake’s post “CSE 490K (an advanced CS class)”. It might not be an advanced assignment, but the class is supposed to be advanced.

    And if you look, I’m not advocating having people learn everything, nor do I suggest learning all the variations of something; I was more interested in people getting taught about possibilities other than stealing cookies in the payload. The idea is that if you have different groups working on a project where marks are awarded for research and originality, rather than being able to write a simple exploit, you’ll not only be able to get everyone to pool all their research at then end, and let them discuss ideas between each other, but you’ll have people with a sense of how much there is to the client.

    What does being able to steal a cookie and use the meta refresh vector teach the student? It teaches them to search a page (maybe they’ll read the whole page, but I wouldn’t bet on that) for a keyword, and then follow a simple tutorial to write a cookie logger (or maybe figure out how to write one themselves), and a simple piece of javascript to offload the cookies.

    As to encoding methods and actually defeating filters; I’m not completely sure what I think of telling the student more or less what vector they need to use. It does stop them from needing to test enormous amounts of vectors, and it can sort of show them how obscure vectors can be, and (if they look over the cheat sheet) a sense of how much filter evasion stuff there is, but in this form, it just ends up with something which can be found with a simple search of a page you were provided.
    And performing the multitudes of tests needed if the vector needed is unknown would probably bore all the students to death, which is definitely a bad thing.

  9. SethF Says:

    Is it just me, or is the script broken for version 3…

    http://abstract.cs.washington.edu/~nmurphy/cse490k/xss-search.php?query=%3Cmeta%3E%3Cb%3EXSS%3Cscript%3Ealert(’XSS’)%3C/script%3E%3C/b%3E&version=3

    …which works in any browser.

    I am assuming the META tag vulnerability is supposed to look like this:

  10. Kyran Says:

    I’m not going to post the answer, but that’s not it. ;)

  11. Legionnaire Says:

    Security really should be taught in CS classes. Of course in order to learn how to secure a system, first you have to talk about its vulnerabilities and how to exploit them.

    This isn’t a bad thing since, although it may breed some script kiddies, a large majority of the attackers would figure this stuff out anyway. Don’t forget that the “hacking” community has a ton of tutorials, guides and other resources that train future attackers.

  12. Jeremiah Blatz Says:

    @kuza55

    I applaud your pursuit of excellence, but I think your view of the world is maybe a bit skewed. When I graduated from uni, I had a minor in CS, had taken a few 400-level CS classes (at least 1, anyway, it was a while ago), and had taken a few IT management classes. The only times that security was really mentioned was in the IT classes, and that was just in passing. My friends who were CS majors were taught next to nothing about security in their classes, as well. I probably couldn’t've said anything knowledgeable about any aspect of software security.

    Now, of course, I’m some sort of 31337 h4xx0r (or something), and I do assessments on sites where the developers are clearly in the security mindset I was in at my graduation. It doesn’t matter that anyone who regularly reads blogs like this one could make PoC exploits for this homework in about a minute. What matters is that the uni is trying to teach its students that things like XSS exist. And really, these aren’t difficult concepts (anti-anti-anti-DNS pinning aside), it’s pretty much a matter of awareness.

    Also, if you look at the course schedule, the class hadn’t even covered anything web-related at that point, so presumably many of the students don’t even know what XSS at that point. In that context, a week is probably pretty reasonable.

    Finally, bear in mind that there are probably a large proportion of CISSPs who couldn’t do this assignment without doing a bunch of reading. If you think that a significant proportion of the IT community actually has any hands-on, practical security knowledge, I’m afraid your’s due for some disappointment.

  13. Mephisto Says:

    I used to teach a programming class at the local college. I loved it, but the administration didn’t seem to like my “straying” from the textbook, because I actually taught the importance of security into the instruction of the class I was teaching…The importance of input validation, output encoding, etc…

    My favorite part was the final exam where I had the students create a fully functioning web application of their choice (they usually wanted to do e-commerce one anyway!), they then reviewed each others sites and selected the one they liked most. On the last day of class I took the site that got the most votes and hacked it while they watched to demonstrate the importance of security. Some of them stated they had heard of the vulnerabilities (SQL Injection, XSS, etc…), but almost none of them had actually see these attacks demonstrated and the consequences of them. Hopefully, some eyes were opened and maybe a couple redirected their career path to appsec…who knows… I did of course provide a disclaimer to the “hacking” portion of the class.

    Alas, in the end I was instructed not to stray from the text book and only teach what was in the book itself…needless to say…I quit.

  14. SethF Says:

    Here is the link to the course schedule
    http://www.cs.washington.edu/education/courses/cse490k/CurrentQtr/lectures/index.html

    I found the other assignments interesting as well - especially the security evals. The instructors are also noted in the security field and have been around for a while - so I am guessing it would be a solid and fun course to take.

  15. the_danger Says:

    As a student at the university in discussion, I can tell you that whatever criticisms you may have of the assignment, it represents at least a step up from the usual security awareness taught. I took an internet services class not too long ago and the security section of the class was a two day lecture with nothing you could call in depth. Honestly, the security class itself was added only very recently (I remember reading this was its first quarter being taught).
    That said, I’m not in the class, so I can’t comment too much on it, just to say security is (apparantly) not the domain of academia.

  16. Alex Says:

    @SethF:
    As Kuza said: “This is testing whether students can find the link to the cheat sheet, search a page for the word meta, and then write some javascript to offload the cookie to another site.”
    Just do that exactly. :-D

  17. beNi Says:

    haha free .edu xss backlinks - thank you :)

  18. SethF Says:

    Uhg…I know how to do XSS attacks. :)

    The post didnt come through completely because rsnake wisely blocks tags.

    My point was that there is a bug in the code for version three of the assignment. You can simply insert the word ‘meta’ (with appropriate tags around it) and fool the filter into allowing anything - including the supposedly banned script tags.

    I am assuming the code was written to allow the meta javascript:code trick that has been around for some time…

    Perhaps the bug is there intentionally - either way I thought it was amusing that the XSS projeect code included a XSS vulnerability that was outside the scope of the project.

  19. Ronald van den Heetkamp Says:

    @Kuza55

    I get your point completely, and agree with it on a few items. :D Though, to my knowledge, you are one of the best I know regarding with Javascript, XSS, and things around it. That is not an easy position, because a lot of people just cannot grasp these things you understand yet.

    If you browse through a programmers manual, even there is no trace of XSS, SQL injection, or Null bytes. I have found 1 PHP book so far by Cristian Wenz who wrote about it, I’m sure there are others, but not much.

    I still do not know why, but that is reality. First time I found RSnakes website, my head was blown off with all the possibilities regarding XSS, encoding, this in that browser, some other things in FF. It helped me TON, and drove me to the point to do my own research and build upon it.

    Cause if you spoke to me 2 years ago and talked about some Javascript obfuscation technique in UTF-7 I would have trouble understanding it, and would really listen what it’s about cause I didn’t know. But, at the same time I haven’t had any computer science background, learned it all on my own. Given the fact they don’t teach you this, yeah that is a problem I can agree upon and they should teach it. ;)

  20. Alex Says:

    @SethF:
    Now I understand, what you mean.
    I don’t think, that the XSS you found was supposed to be in there.

  21. Nick Says:

    As the author of the assignment, allow me to chime in:

    First, the assignment was supposed to be simple. The class as a whole is supposed to be a broad overview of a wide variety of security topics, and we only have limited time. To do an assignment of the scope kuza55 wants would take multiple weeks to complete, let alone the time it would take to construct the assignment (this is the first year the course has been offered, and we are putting things together from scratch on the fly). Keep in mind that the students are not assumed to know javascript or server-side scripting coming into the class, and learning those takes a certain amount of time even before you start hacking on the XSS stuff.

    The point of the assignment was just to get students’ feet wet with the basic idea. What I wanted them to come away with was:

    1) Fundamentally how XSS works (version 1)
    2) That XSS can be done without a script tag (version 2),
    3) That there are different ways to implement an XSS exploit (version 3), and generally
    4) to remember that you need a way to get the value of the cookie back to you once you’ve read it (hence the requirement for a script to gather the cookie info)

    Yes, to some degree you can cut and paste the exploits on this site. We debated a bit about that, but we decided that you couldn’t use them verbatim (you have to understand them well enough to modify them to work for the assignment), and that, again, having the assignment be simple was okay. As I said, we just wanted to get their feet wet.

    Remember these are seniors imminently graduating. Their brains have nearly shut down by this point anyway. ;)

    As for my search engine being broken and subject to a variety of workarounds, well, duh. It’s not supposed to be resilient to, really, anything. I only put some rudimentary checks in there to help students know when they’re not doing something right. Enforcement is done by grading, not by code. If they sneak an exploit in behind the META tag, they won’t get full credit (and they’ve been told that).

    Nick

  22. kuza55 Says:

    @Jeremiah Blatz:
    I’m not denying that this is a step forward, I’m just concerned that you’ll get a bunch of people who know nothing about XSS other than that it can be used to steal cookies, and therefore possibly make false assumptions like using Basic Auth or httpOnly will make XSS useless.

    The reason I say this is because if you visit almost any hacking/security forum, you’ll find that there is no discussion about anything other than stealing cookies, and once they find they can’t crack the hash in the cookie because it has an unknown salt, they think that even with an XSS hole you can do nothing to the application. And this is primarily because all the tutorials deal with cookie stealing, and nothing else.

    @the_danger:
    Same thing as above, I understand its a step up, but I see no reason to present such a basic concept as an asignment. Sure, teach it, but then have them learn something which gives them a broader view.

    Oh, and I do realise that my proposal of giving them a month or so is probably rather infeasible, taking course schedules into account, etc, but I still stand by my statement, that I don’t think this is a particularly useful assignment.

  23. matthew Says:

    I disagree kuza. The course information says:

    “This course addresses a broad spectrum of issues in computer security and privacy, ranging from cryptography, to systems security, to network security, to usable security. We will explore fundamental challenges in the design and analysis of computer systems that must remain dependable despite the actions of adversaries. The goal of this course is to help you learn how to think about, evaluate, and understand computer security issues.”

    With this in mind I think that the assignment given is quite sufficient for the point of the course. The course is obviously not designed to bring out high-class hackers within a semester. That’s pretty much impossible, even without taking into account that this is not the only course that the students will be doing in this semester.

    The course aims to teach a “broad spectrum of issues in computer security” and when taking the whole of computer security into account, XSS is a pretty minor topic. Lecturers usually have 12 to 14 weeks to play with, and keeping that in mind the timetable would probably only allow 4 weeks for the entire topic of web application security. Even then, you still have the other injection vulnerabilities, redirection vulnerabilities and authentication bypass that must be at least touched upon. Spending the entire four weeks giving a detailed account of XSS attacks should be left to another course, probably entitled Web Application Security.

    This assignment seems perfect for what it’s meant to do: to give students an idea of attacks to be wary of. No students won’t be able to *launch* an attack in the real world using this information, but they probably will never have to. They just need to know the basics of how to go about protecting against it, and gain pointers for further research, such as a link to a blog that contains lots of information about it.

  24. kuza55 Says:

    You’re right matthew, and I did realise that what I was describing initially would be a bit too much to ask for, given the schedule;I should have checked that first before having a little rant, I’m sorry.

    I do still think that you somehow need to show students that XSS attacks extend beyond stealing cookies, because unless you do students will not understand the full ramifications, and how defence in depth can be created.
    Otherwise its like teaching people about a buffer overflow without mentioning the idea of overwriting memory structures used by the OS, and just having students overwrite some string/flag which alters program flow. Sure, it shows that buffer overflows are bad, but it gives students a very limited view of how bad it is.

    Its not as if you need people to be able to write an exploit which submits a form (with nonces) on the user’s behalf (or makes the appropriate XHR calls), you just need people to be able to know that it can be done.

    You could even touch on something as complex as Anti-DNS Pinning because most people (people being people interested in security) only need to know that it allows an attacker to create sockets from a user’s computer due to circumvention of DNS Pinning - how its achieved, or even what DNS Pinning is, will be irrelevant to most people who don’t write things which pin DNS, or who actually need to write an exploit, either as proof of the possibility or for more nefarious reasons. As long as people know the possibility, implementation details can generally be found by whoever needs to.