Twitter App and Hacking Competition

In this we were tasked with creating a browser based Twitter application on Apache 2.2 servers running FreeBSD. Our group which consisted of 4 members, including myself, had less than 5 weeks to complete the website. We used SQL for the database, and used cakePHP, PHP, HTML. javascript, and CSS for the formation of the website. At the end of the 5 weeks we had a hack period of 12 hours where we were allowed to run port 80 hacks against the other groups in the class. Every successful hack or vulnerability find netted extra bonus points, while hacks against our own website resulted in negative points.
The purpose of the Twitter application was to build an app that would be usable for a company to manage tweets more effectively for their company. Our’s featured groupings for tweets that allowed tweets to be placed into groups such as: coupons, news, deals, etc. The profile page would then display the company’s tweets in an organized fashion by groups. We also employed three levels of access to the page. The writer was only allowed to write tweets and edit their own tweets.Upon tweeting their tweets would need a publisher or admin to then publish their tweets to push to Twitter. The publisher had all the features of a writer but could also publish tweets and create new groups. The admin user was able to do everything a publisher and writer could with the addition of being able to create and delete users.

The page above is the front facing login page. Upon entering http://group16.cse135.pint.com/ users were prompted with this page. From here and anywhere on the website the search bar at the top right could be used to search the database of tweets. From here users can view the company’s latest tweets. The login features a remember check box.

The profile page is view-able without logging in and shows all tweets organized by groups. There’s also a section that displays @mentions from others on Twitter.

Upon logging in users are prompted with the homepage that displays a log of all tweets in the database. Here users with proper permissions can edit, delete, and see the status of tweets.

Scrolling down the logged in homepage the user can find the reconnaissance section. Here users can search Twitter and view different lists of tweets.

The page to make a tweet allows users to choose up to four groups that the tweet can be grouped into. There’s also a form for the user to select a date and time to allow for tweeting at a later time. This allows companies to set up all tweets to tweet at planned times ahead of time.

——————————————————————————————-

Hacking Competition

The hacking period was the bonus applied to the end of the Twitter App project. Here groups were allowed to do port 80 attacks on one another to expose and take advantage of any security holes of an opposing group. During the hacking no teams were allowed to patch any holes of their own website, and only port 80 attacks were allowed. Each team starts with 12 points and each successful hack awards 4 points, and every hack against you deducts 4 points.
Our Security
 Our team, too_swag, first took to defending ourselves before the start of the hacking. Our defenses started early on with the cloaking of our server type from Apache to swag server. From there all extensions of our webpages were hidden, and no dirty URLs were found or allowed on our webpage. This helped to prevent any SQL injections through the URL. From there we took to protecting all our form inputs from any XSS attacks. Here we took advantage of cakePHP’s security component. We also disallowed the use of any symbols in any inputs to avoid any XSS by sanitizing any form inputs.
Hacks and Holes I Found
I started the hacking session by going to each of the other 13 groups’ webpages by checking the vulnerability of their login. I did this by using ‘OR”=’ as password and username on all pages to try and fool their SQL database. I was successful with one group and was able to freely operate throughout their website.


Next I proceeded to check any form inputs for lack of sanitizing. The first group I found I was able to easily add any html or script to their search of any length. I showed it above by running a simple html image tag.


The next I found allowed the use of <, >, =, and other symbols in their search, but disallowed the use of quotes. To bypass this i ran this script <iframe src=http://group16.cse135.pint.com< to bypass the need of quotes. From here I was able to run our own page, exposing a huge hole of any page can be run from it.


This group’s search was the same as the first one that allowed the use of any symbols of any length again. So it was very exposed to scripts. I exposed it here with an image tag.


This last group’s search did feature some sanitizing, in that I couldn’t just run a normal alert script or html tags. I was however able to work around it with this:

;alert(String.fromCharCode(<wbr>88,83,83))//\';alert(String.<wbr>fromCharCode(88,83,83))//";<wbr>alert(String.fromCharCode(88,<wbr>83,83))//\";alert(String.<wbr>fromCharCode(88,83,83))//--></<wbr>SCRIPT>">'><SCRIPT>alert(<wbr>String.fromCharCode(88,83,83))<wbr></SCRIPT>
Advertisements