Skip to content
Snippets Groups Projects
Commit d701a05b authored by Jonathan Jogenfors's avatar Jonathan Jogenfors
Browse files

Some rewrites for 2019

parent 6defcf0d
Branches
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
TopDog.pdf
+ 0
0
View file @ d701a05b
No preview for this file type
TopDog.tex
+ 185
209
View file @ d701a05b
......@@ -6,7 +6,6 @@
\usepackage[utf8]{inputenc}
\usepackage{lmodern}
\usepackage{csquotes}
\usepackage{todonotes}
\usepackage{savesym}
\usepackage{pdflscape}
\usepackage{rotating}
......@@ -29,18 +28,10 @@
\usepackage[colorlinks=true,linkcolor=blue,urlcolor=blue,citecolor=blue]{hyperref}
\usepackage{comment}
\usepackage{lmodern}
\usepackage[style=numeric-comp,url=false,backend=biber,%
firstinits=true,sorting=none,sortfirstinits=true,clearlang=true,%
maxnames=3,minnames=1,uniquename=false,%
maxbibnames=10
]{biblatex}
\pdfminorversion=6
\restoresymbol{HR}{pdfbookmark}
\usepackage{cleveref}
\graphicspath{{./images/}}
\addbibresource{references.bib}
\definecolor{theWhite}{gray}{0.9}
\definecolor{theBlack}{gray}{0.2}
......@@ -61,12 +52,11 @@ maxbibnames=10
\begin{document}
\date{\today}
\author{Jonathan Jogenfors\\Niklas Johansson\\ Guilherme Xavier\\
%\href{mailto:jonathan.jogenfors@liu.se}{\texttt{\small{jonathan.jogenfors@liu.se}}}\\
\small{Information Coding Group}\\\small{Department of Electrical
Engineering, Linköping University}
Engineering, Linköping University}
}
\title{LiU TopDog Hacking Challenge \\~\\ \large{TSIT01, TSIT02
Computer Security\\ Linköping University}}
\title{TopDog Hacking Challenge: \\ A Good Offense is the Best Defense \\~\\ \large{TSIT01, TSIT02
Computer Security}}
\maketitle
......@@ -89,11 +79,12 @@ practical security work and understand some common pitfalls when developing web
applications. After the lab you should be well-equipped to avoid these security
issues whenever you develop your own web application.
\section{Lab organization}\label{sec:lab_organization}
This lab will run from the starting date to the end of the exam period. The lab system is
publicly available and you can work on the assignments in your own time on the
lab computers or your personal laptops. The progress will be stored on the
server so you can come back at any time.
\section{Lab Organization}\label{sec:lab_organization}
This lab will run from the starting date until it closes. The lab
system is publicly available and you can work on the assignments in your own
time on the lab computers or your personal laptops. As the server is reachable
from the Internet, you can also work from home if you so choose. The progress
will be stored on the server so you can come back at any time.
There are scheduled sessions where the assistant will be available at his or her
office to provide assistance. Plan carefully, because time will be limited for
......@@ -102,20 +93,23 @@ Think drop-in, so no booking is required.
For other questions please see \cref{sec:contact}.
\section{Deadlines}\label{sec:deadline}
The lab must be finished before the end
of the exam period. Shortly after, the TopDog server will be shut down, so you
can't do the lab after this date. If you don't complete the assignments before
the deadline, you will have to do the lab next year.
\section{Deadlines}\label{sec:deadline}
The lab starts on the $22^{nd}$ of November 2019 at (TBA o'clock). The lab must
be finished before the end date (TBA, January 2020). At this time, the
assignments will be disabled an no more progress can be done. If you haven't
finished the lab by this date you will have to re-take the lab next year.
Winner of the competition
will be the leader of the scoreboard by 5 pm the day before the (first) guest lecture (the scoreboard will lock at this point).
There is also another, soft deadline. At 5 PM on the $9^{th}$ of December 2019
the competitive part of the lab ends and the scoreboard will lock. No more
points or medals will be awarded at this point. The next day, just before the
guest lecture, there will be a small ceremony for the winners.
\section{Disciplinary stuff}
You are expected to do the lab in your own.
Co-operation is allowed and encouraged. You are expected to understand and
follow the university-wide rules for disciplinary matters, as for any other
examination you are not allowed to cheat.
\section{Disciplinary Stuff}
Each individual student is expected to perform the lab in order to pass.
However, you are allowed (and encouraged!) to cooperate is allowed and
encouraged. You are expected to understand and follow the university-wide rules
for disciplinary matters, as for any other examination you are not allowed to
cheat.
\section{Ethics}
This lab and what you learn is for educational purposes only. Do not attempt to
......@@ -123,7 +117,7 @@ use these techniques without authorization. If you are caught engaging in
unauthorized hacking, most companies will take legal action. \textbf{Claiming that you
were doing security research will not protect you.}
\section{Contact information}\label{sec:contact}
\section{Contact Information}\label{sec:contact}
To get in touch with the lab assistant, please send e-mail to the e-mail address
below corresponding to your course. The course homepage always contains the
latest version of this document, so be sure to check it out regularly.
......@@ -131,113 +125,82 @@ latest version of this document, so be sure to check it out regularly.
\subsection{TSIT01 Datasäkerhetsmetoder}
\begin{description}
\item[Course homepage:] \url{http://www.icg.isy.liu.se/courses/tsit01/}
\item[Lab E-mail:] \href{mailto:tsit01-lab@isy.liu.se}{\texttt{tsit01-lab@isy.liu.se}}
\item[Lab e-mail:] \href{mailto:tsit01-lab@isy.liu.se}{\texttt{tsit01-lab@isy.liu.se}}
\end{description}
\subsection{TSIT02 Computer Security}
\begin{description}
\item[Course homepage:] \url{http://www.icg.isy.liu.se/courses/tsit02/}
\item[Lab E-mail:] \href{mailto:tsit02-lab@isy.liu.se}{\texttt{tsit02-lab@isy.liu.se}}
\item[Lab e-mail:] \href{mailto:tsit02-lab@isy.liu.se}{\texttt{tsit02-lab@isy.liu.se}}
\end{description}
\chapter{Preparing for the lab}
\textbf{Begin by reading through the entire lab PM}. Remember to regularly check the
course homepage to see if we updated the PM, as we continuously improve the lab.
%
%\section{Lab group}
%First, you need to find a partner to work with. All students are expected to
%work in groups of two. If this is not possible, please contact the lab
%assistant. When you have somebody to work with you will need to choose a
%username and password to use on the TopDog server. Each group of two
%will have an account, so you will need to choose a username and password for the
%group. Please note the following:
%\begin{enumerate}
% \item Your username (not password) is public and will be shown to to the
% entire university on the scoreboard (which is shown on monitors around
% the campus).
% \item We reserve the right to ban stupid and/or offensive usernames for any
% reason.
% \item Both of you will have the password, so choose a password you don't use
% anywhere else.
% \item The password storage in TopDog is hashed and salted, however do not
% use a password that you care about.
%\end{enumerate}
%Tip: Generate a random password
%and write it down on a note in your wallet, or use a password manager!
\section{User accounts}\label{sec:register}
If you are register to the course, you will automatically have an account. If you are not registered, you need to contact a \href{https://www.lith.liu.se/studievagledning?l=en\&sc=true}{study chancellor}.
Now go to
\href{http://snickerboa.it.liu.se}{http://snickerboa.it.liu.se} and click on "login via SAML" and login with your LiU-id. If you don't wish your LiU-id to show on the scoreboard, you can change to a name of your choosing (at first login, if you want to change it again you need to contact us). However, we reserve the right to ban stupid and/or offensive user names for any reason.
%register an account, see \cref{fig:login}. Note that the registration link is
%hidden and must be typed just like that. The registration screen is shown in
%\cref{fig:register}. Note that registration requires you to type in the correct
%\texttt{passcode}, which is found in Lisam. The passcode is to discourage people
%outside the course to do the lab and appear on the scoreboard. Please do not
%share the passcode.
%\begin{figure}
% \centering
% \includegraphics[width=.9\linewidth]{register.png}
% \caption{The TopDog registration page.\label{fig:register}}
%\end{figure}
%
%Next, return to the login screen and login with your credentials. If you
%succeeded, you will be greeted with \enquote{Let's get
%started!}. This means you logged in. If the login fails, please double-check the
%login username and password before contacting us (see \cref{sec:contact}).
%
%\begin{figure}
% \centering
% \includegraphics[width=.9\linewidth]{login.png}
% \caption{The TopDog login page.\label{fig:login}}
%\end{figure}
\section{Logging In}\label{sec:register}
If you are registered for the course, you will automatically have an account. If
you are not registered, you need to contact a
\href{https://www.lith.liu.se/studievagledning?l=en\&sc=true}{study counselor}.
Note that course registration is compulsory for all examination, not just the
lab!
Now go to \href{http://snickerboa.it.liu.se}{http://snickerboa.it.liu.se} and
click on \enquote{Login via SAML} and login with your LiU-id. In the next step
you are free to choose how your name will be displayed on the scoreboard. The
scoreboard is publicly available and is also displayed on screens around campus,
so it can be a good idea not to use your real name. Note that once this name is
set you can not change it again\footnote{If you really want to change it, please
contact us.}. We reserve the right to ban stupid and/or offensive user names for
any reason.
\chapter{Performing the Lab}
TopDog contains a number of modules that cover different topics in
web pentesting.
The lab contains a number of modules that cover different topics in web
penetration testing.
\section{Assignments}\label{sec:assignments}
In order to pass the lab, you are required to finish all 21 assignments (see \cref{sec:list_of_ass}). In
order to prepare yourself for the assignments, there are also lessons which give
a gentle introduction to the topic at hand. You can solve the assignments in any
order you want.
There are also challenges which can be performed if you wish to try your luck.
Note that the lab assistant will not help you with the challenges, you have to
do your own research here.
In order to pass the lab, you are required to finish all 21 assignments (see
\cref{sec:list_of_ass}). In order to prepare yourself for the assignments, there
are also lessons which give a gentle introduction to the topic at hand. You can
solve the assignments in any order you want.
\section{Result keys}
There are also extra challenges, beyond what we require for a passing grade, if
you wish to try your skill. Note that the lab assistant will not help you with
the challenges, you have to do your own research here.
\section{Result Keys}
For each lesson and challenge your goal is to retrieve the so-called
\enquote{result key}. When you finish a lesson or challenge, TopDog
\enquote{result key}. When you finish a lesson or challenge, the server
detects that \enquote{it has been hacked} and gives you the key. Paste this key
into the box on top, shown in \cref{fig:resultkey}. Depending on
the module the format of the result key can vary, but it might look something
the assignment at hand, the format of the result key can vary, but it might look something
like the following:
\commandline{resultkey.txt}
\begin{figure}[b]
\begin{figure}
\centering
\includegraphics[width=.8\linewidth]{resultkey.png}
\caption{Example of result key and where to paste it.}\label{fig:resultkey}
\end{figure}
Whenever you receive a result key, paste it to the \enquote{Submit Result Key
Here} box on the top of the screen.
Here} box on the top of the screen. Don't even think of brute-forcing the key,
there are detection mechanisms in place and this can be considered cheating.
Also, each student will get an individual result key, and sharing keys with your
friends is easily detected and not allowed.
\section{Best Practices}
It is a good idea to keep notes of how you pass each challenge. While your
progress on the server is backed up frequently we can never be too sure. Save
your notes so you can get back to where you were in case of a catastrophic
server failure.
progress on the server is backed up frequently we can never be too sure. An
important part of computer security is to have a disaster recovery plan, and if
the database was affected by corruption some written notes can help you recover
faster.
\section{Scoreboard}
Whenever you finish a lesson, assignment, or challenge, it will show up on the
LiU TopDog scoreboard. The scoreboard is public, and anybody can see the
scoreboard. The scoreboard is public, and anybody can see the
progress of the participants. In addition, the scoreboard will be displayed
on monitors around café java.
on monitors around campus, especially around Cafe Java in the B-building.
The scoreboard is just for fun, and in order to pass you are only required to
finish the assignments. If you have finished the assignments and want more
......@@ -248,12 +211,14 @@ will receive points, so the more challenges you finish, the more bragging rights
you have. Also, harder challenges give more points.
Your name will not appear on the scoreboard until you have finished your first
challenge. There is also a small bonus for being the first student to
finish a given lesson or challenge in the form of medals. A gold medal is
awarded to a group who finishes a lesson or challenge nobody else has finished
yet. A silver medal is given to the second one, and bronze to the third. In the
scoreboard there will therefore be users with medals in addition to the normal
point score. These medals are not worth any points, but will be used as tiebreakers!
challenge. Also, there are medals! A gold medal is awarded to the student who
finishes a lesson or challenge nobody else has finished yet. A silver medal is
given to the second one, and bronze to the third. In the scoreboard there will
therefore be users with medals in addition to the normal point score. These
medals are not worth any points, but will be used as tiebreakers in the
competition. In order to break a tie, we first count the gold medals, then the
silver medals, and then the bronze medals. After this, we will draw lots if
needed.
But remember, the scoreboard is just for fun. It has nothing to do with actually
passing the lab.
......@@ -261,12 +226,12 @@ passing the lab.
\begin{figure}
\centering
\includegraphics[width=.9\linewidth]{scoreboard.png}
\caption{The TopDog scoreboard from 2016. Note the medals on some of the usernames.}
\label{fig:scoreboard}
\caption{The TopDog scoreboard from 2016. Note the medals on some of the
usernames.\label{fig:scoreboard}}
\end{figure}
\end{landscape}
\section{List of lessons}
\section{List of Lessons}
The following lessons are available:
\begin{description}\label{sec:lessons}
\item[Broken Session Management]
......@@ -281,7 +246,7 @@ The following lessons are available:
\item[Unvalidated Redirects and Forwards]
\end{description}
\section{List of assignments}\label{sec:list_of_ass}
\section{List of Assignments}\label{sec:list_of_ass}
Below are the required assignments (there are hidden hints!):
\begin{description}
\item[Session Management Challenge 1]
......@@ -294,7 +259,8 @@ Below are the required assignments (there are hidden hints!):
\item[Session Management Challenge 3]
\item[SQL Injection 1]
\item[SQL Injection 2]
{\color{white}The server first checks if the query contains \emph{one} @ before processing it!}
{\color{white}The server first checks if the query contains \emph{one} @
before processing it!}
\item[Insecure Cryptographic Storage Challenge 1]
\item[Insecure Cryptographic Storage Challenge 2]
{\color{white}Here, \enquote{2d cipher} refers to the
......@@ -308,79 +274,94 @@ Below are the required assignments (there are hidden hints!):
\item[Failure to Restrict URL Access 1]
\item[CSRF 1]
\item[Cross Site Scripting 2]
{\color{white}Now the XSS filter is getting more clever,
but it's not perfect. Check the source code of the HTML returned from
the server to see which commands are filtered and which are not. Use the
hints from the slides.}
{\color{white}Now the XSS filter is getting more clever, but it's not
perfect. Check the source code of the HTML returned from the server
to see which commands are filtered and which are not. Use the hints
from the slides.}
\item[Session Management Challenge 4]
{\color{white}Can you guess a Session ID? It should
{\color{white}Can you guess a Session ID\@? It should
be somewhat larger than 20.}
\item[Failure to Restrict URL Access 2]
\item[Cross Site Scripting 3]
\item[Insecure Cryptographic Storage Challenge 3]
{\color{white}There are a number of ways
to defeat the crypto and get the encryption key in this challenge. The
quickest way is to submit base64 encoded spaces.}
{\color{white}There are a number of ways to defeat the crypto and get
the encryption key in this challenge. The quickest way is to submit
base64 encoded spaces.}
\item[SQL Injection 3]
{\color{white}To complete this challenge, you must craft a second
statement to return Mary Martin's credit card number as the current
statement only returns the customerName attribute. Note that the UNION
statement isn't filtered!}
statement only returns the customerName attribute. Note that the
UNION statement isn't filtered!}
\item[Insecure Direct Object Reference Bank]
{\color{white}To complete this challenge you
must first register an account. The account must have a unique name. The
next step is to click the refresh balance button. Capture this request, and
replay it with different account numbers until you find one with cash. If
you are the first person to attempt this challenge, the account number 1
should have 10 million in it. You should be able to figure out the rest.
See \cref{sec:faq-bank} if there's not enough money anywhere!}
must first register an account. The account must have a unique name.
The next step is to click the refresh balance button. Capture this
request, and replay it with different account numbers until you find
one with cash. If you are the first person to attempt this
challenge, the account number 1 should have 10 million in it. You
should be able to figure out the rest. See \cref{sec:faq-bank} if
there's not enough money anywhere!}
\end{description}
\chapter{Contributing to the lab}
We think the CTF lab is a great way to teach, and want to encourage you to submit your ideas and feedback to us. Do visit our \href{https://gitlab.liu.se/topdog/ctf-lab-pm}{internal project page}, where you can help us out! This is the LiU GitLab server, and you can file an issue by clicking on the issues link shown in \cref{fig:issues}.
\begin{figure}
\centering
\includegraphics[width=.9\linewidth]{issues.png}
\caption{Click on Issues to file an issue report.}
\label{fig:issues}
\end{figure}
We think that this lab is a great way to teach important concepts in information
security, and want to encourage you to
submit your ideas and feedback to us. Do visit our
\href{https://gitlab.liu.se/topdog/ctf-lab-pm}{internal project page}, where you
can help us out! This is the LiU GitLab server, and there are several ways of
helping out.
\section{Submit a Bug Report}
If you run into a bug, you are encouraged either to contact us directly, or file
a bug report on \href{https://gitlab.liu.se/topdog/ctf-lab-pm}{gitlab}. Click
the link shown in \cref{fig:issues} and fill out the details. The more specific
you can be, the more you will be able to help us
out!
\section{Ideas for Enhancements}
You can file more than just bug reports! If you feel something is missing, or
something could be done better, you can also submit enhancement ideas.
\section{Fork It!}
Are you familiar with git? If yes, then you can contribute even more! Fork the
\href{https://gitlab.liu.se/topdog/ctf-lab-pm}{repository}, commit your own changes, and then send us a merge request
(sometimes called a pull request). If you need help, please see the
\href{https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html}{official
documentation}.
\begin{figure}
\centering
\includegraphics[width=.8\linewidth]{issues.png}
\caption{Click on Issues to file an issue report.\label{fig:issues}}
\end{figure}
\chapter{Frequently Asked Questions (FAQ)}
This section will be updated with frequently asked questions about the lab.
\section{I'm stuck, what should I do?}
First make sure you have read through the whole lab PM. Second, consult and discuss with a friend (this is the best way of getting new ideas). Lastly, use the assistances drop-in time slot (see \cref{sec:lab_organization}).
\section{I am Stuck, What Should I Do?}
First make sure you have read through the whole lab PM\@. Second, consult and
discuss with a friend (this is the best way of getting new ideas). Lastly, use
the assistances drop-in time slot (see \cref{sec:lab_organization}).
\section{There is something wrong with the server!}
\section{There is Something Wrong With the Server!}
First check that your Internet connection is working and that your attack proxy
isn't giving you problems. If the TopDog server is unavailable, or if there's some
\emph{technical} issue with it that has nothing to do with the lab itself, first
wait a few minutes. If it doesn't come back it might be an outage (planned or
unplanned). If we are doing some planned work on the server this will be posted
on Lisam.
isn't giving you problems. If the TopDog server is unavailable, or if there's
some \emph{technical} issue with it that has nothing to do with the lab itself,
first wait a few minutes. If it doesn't come back it might be an outage (planned
or unplanned). If we are doing some planned work on the server this will be
posted on Lisam.
If the server is still down and there's nothing on Lisam saying it's a planned
outage, the server might be down. Please send an e-mail to the lab assistant,
see \cref{sec:contact}.
%\section{How do I create a TopDog account?}
%
%
%See \cref{sec:register}.
\section{Can I get bonus points for the exam?}
\section{Can I Get Bonus Points For the Exam?}
The scoreboard and its points, bonus points, and medals is for fun only. They
have absolutely nothing to do with passing the lab or with the examination of
the course. The lab assistant can see how many assignments you have finished,
independently of the scoreboard.
\section{What happens if I can't go to the coaching session?}
\section{What Happens If I Can't Go to the Coaching Session?}
The coaching sessions are not a compulsory part of the course. If you can't
attend, there is no penalty. However, the sessions can be valuable as you have
the opportunity to get coaching and ask questions about the lab. Also, you must
......@@ -394,8 +375,9 @@ Try your skills on the challenges! If this is still not enough, check out
\section{I don't get a result key, only \enquote{Key Should be here! Please
refresh the home page and try again! If that doesn't work, sign in and out
again!}}
This is a bug that sometimes happens. Contact us (\cref{sec:contact}) and we'll
help you.
This is a bug that sometimes happens. We \emph{hope} that this issue has now
been solved, but if it does happen, please contact us (\cref{sec:contact}) and
we'll help you.
\section{The result key in insecure crypto challenges isn't working!}
Make sure you check that you've got UPPERCASE/lowercase correctly. Some online
......@@ -405,49 +387,26 @@ calculators will mess this up. Also make sure it handles spaces correctly.
money left}\label{sec:faq-bank}
It can happen that the total amount of money is too small to pass the lab. In
this case, contact us at \cref{sec:contact} and we'll fill up bank with some
more money to steal :)
more money to steal!
\section{I love computer security and I am looking for thesis work!}
Don't hesitate to contact us at the Information Coding Group\footnote{https://liu.se/en/organisation/liu/isy/icg}. Also, if you like crypto we
highly recommend the course TSIT03
Don't hesitate to contact us at the Information Coding
Group\footnote{https://liu.se/en/organisation/liu/isy/icg}. Also, if you like
crypto we highly recommend the course TSIT03
Cryptology\footnote{http://www.icg.isy.liu.se/courses/tsit03/} that is given in
HT1 every year.
\section*{About this document}
This lab memo is intended for students of the computer security courses \texttt{TSIT01} and
\texttt{TSIT02} at Linköping University.
\section*{Changelog}
\begin{description}
\item[2019] Adaption to the new registration procedure.
\item[2017] Revised for the 2017 course.
\item[2016] Initial version.
\end{description}
\section*{Acknowledgements}
This lab owes its existence to Anders Märak Leffler who brought this software to
my attention back in 2015. I also want to thank the OWASP Foundation and the
OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
department who was willing to set up and support a web application server that,
contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
probably going to be a very interesting lab course.
\bigskip
\noindent
Linköping, November 2016\\
\emph{Jonathan Jogenfors}
\appendix
\chapter{Tools}\label{sec:tools}
Penetration testing requires you to have a large and diverse toolbox. In this
lab, you will mostly use online tools (that you'll have to find yourself) and
one offline tool: ZAP. The online tools can be things such as online
one offline tool: ZAP\@. The online tools can be things such as online
calculators, hex-to-dec-converters, decryption tools for cryptographic
algorithms etc. Use Google! Also, the slides from the lab preparation lecture
will be of use to you.
\section{Viewing the source code}
\section{Viewing the Source Code}
The first step in most web attacks is usually to look at the source code. This
will show you the raw HTML/CSS/JavaScript that builds up the page. For a quick
reference on what the HTML tags do, check out the W3 HTML
......@@ -471,18 +430,16 @@ source code of TopDog itself and not the module.
\begin{figure}
\centering
\includegraphics[width=\linewidth]{sourcecode.png}
\caption{An example of a source code of a module.}
\label{fig:source}
\caption{An example of a source code of a module.\label{fig:source}}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\linewidth]{frame-source}
\caption{How to view only the source of the \texttt{iframe} containing the
module.}
\label{fig:frame-source}
module.\label{fig:frame-source}}
\end{figure}
\section{The Zed Attack proxy (ZAP)}
\section{The Zed Attack Proxy (ZAP)}
ZAP is the Zed Attack Proxy by
OWASP\footnote{\url{https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project}}.
You will use this tool to modify HTTP packets sent between your web browser and
......@@ -503,8 +460,7 @@ Windows, Linux and OSX and requires Java 7 or higher.
edit them.
5. Information Window – Displays details of the automated and manual tools.
6. Footer – Displays a summary of the alerts found and the status of the main
automated tools.}
\label{fig:zap}
automated tools.\label{fig:zap}}
\end{figure}
Installing ZAP is easy. If you don't have Java, the installer will help you
download and install it. If you have any trouble, check the ZAP Quick Start
......@@ -517,14 +473,13 @@ safe to say yes. After starting up, you will see the ZAP interface as shown in
\begin{figure}
\centering
\includegraphics[width=\linewidth]{proxy.png}
\caption{Schematic of the attack proxy}
\label{fig:proxy}
\caption{Schematic of the attack proxy\label{fig:proxy}}
\end{figure}
In order to use the attack proxy, you will need to configure your web browser to
connect through it. Here, it is recommended that you download and install a
secondary web browser to your computer, so that you have one normal browser (for
googling and general browsing) and one \enquote{attack browser} for use with
TopDog. Otherwise, ZAP will intercept all your HTTPS sessions (i.e. also your
TopDog. Otherwise, ZAP will intercept all your HTTPS sessions (i.e.\ also your
general web browsing), which
is very annoying.
......@@ -536,8 +491,7 @@ as the proxy configuration for HTTP and HTTPS protocols.
\centering
\includegraphics[width=.6\linewidth]{firefox-proxy.png}
\caption{Firefox proxy configuration (Preferences -> Advanced -> Network ->
Settings)}
\label{fig:firefox-proxy}
Settings).\label{fig:firefox-proxy}}
\end{figure}
For instance, the configuration\footnote{http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox} for Firefox is shown in
......@@ -546,8 +500,8 @@ Chrome can be found here: \url{https://support.google.com/chrome/answer/96815}.
\begin{figure}
\centering
\includegraphics[width=.6\linewidth]{maninthemiddle.png}
\caption{Schematic diagram of ZAP when dealing with HTTPS traffic}
\label{fig:maninthemiddle}
\caption{Schematic diagram of ZAP when dealing with HTTPS
traffic.\label{fig:maninthemiddle}}
\end{figure}
Now, using the attack browser, go to the TopDog page:
......@@ -557,9 +511,9 @@ HTTPS traffic (see \cref{fig:maninthemiddle}). Remember that we talked about
this in the lecture. You will have to accept the ZAP
certificate and add it as an exception to the attack browser.
\subsection{Intercepting HTTP(S) traffic with ZAP}
\subsection{Intercepting HTTP(S) Traffic With ZAP} %chktex 36
Now you can browse around in TopDog and see that the traffic appears
in ZAP. In the left-hand pane you see \texttt{Sites}. Expand it and you see the
in ZAP\@. In the left-hand pane you see \texttt{Sites}. Expand it and you see the
site \texttt{https://snickerboa.it.liu.se}. Inside, you see the different
requests (mainly \texttt{GET} and \texttt{POST}) that were made to the server.
......@@ -578,16 +532,14 @@ an example of a response package.
for cross-site scripting. In
the lower right side you can see \texttt{userdata=99}, which means that
the request contains POST data from a form with the varaible
\texttt{userdata} set to the value 99.}
\label{fig:request}
\texttt{userdata} set to the value 99.\label{fig:request}}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\linewidth]{lesson-response.png}
\caption{ZAP showing a response packet from the web server to the web
browser. The body of the response shows a HTML-encoded text saying that
\enquote{the number 99 is a valid number}.}
\label{fig:response}
\enquote{the number 99 is a valid number}.\label{fig:response}}
\end{figure}
Now we want to capture a HTTP response for ourselves. Begin by pressing the
......@@ -615,8 +567,7 @@ destinations.
\centering
\includegraphics{step.png}
\caption{The important Break, Step, and Play buttons in ZAP (the three
leftmost buttons)}
\label{fig:step}
leftmost buttons)\label{fig:step}}
\end{figure}
\chapter{Capturing The Flag}\label{sec:ctf}
......@@ -630,5 +581,30 @@ who finish first.
If you found this lab course interesting and want more CTF challenges, check out
this list: \url{https://captf.com/practice-ctf/}.
\chapter{About This Document}
This lab memo is intended for students of the computer security courses
\texttt{TSIT01} and \texttt{TSIT02} at Linköping University.
\section{Changelog}
\begin{description}
\item[2019] Lab has now been integrated with LiU-ID login.
\item[2017] Revised for the 2017 course.
\item[2016] Initial version.
\end{description}
\section{Acknowledgements}
This lab owes its existence to Anders Märak Leffler who brought this software to
my attention back in 2015. I also want to thank the OWASP Foundation and the
OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
department who was willing to set up and support a web application server that,
contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
probably going to be a very interesting lab course.
\bigskip
\noindent
Linköping, November 2016\\
\emph{Jonathan Jogenfors}
\end{document}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment