Companies often want to include third-party content in their sites (advertisements and job postings are two common cases). Including third-party code naively opens the host site up to various attacks. There are several proposals for layers atop Javascript to allow third-party content to be included safely. This assignment has you work with one of these proposals (Yahoo's AdSafe language). We have written a skeleton application that accepts third-party ads. You will first write ads in raw Javascript to show how to attack our application, then you will rewrite the ads in AdSafe and explain how the AdSafe restrictions prevent the attacks.
There are two separate deliverables for this project, each due at the start of class (via web-Turnin) on the specified date:
The assignment bundle (revised 9/11 at 2pm; current size 81K) contains our sample application, called Post. Post is implemented in Racket, which is required to run the application. (Racket is the new name for DrScheme. You will need the current Racket version to run Post).
To run Post, unpack the bundle, change to the
post
directory, and run
> racket start.rktThis should open your web server (in your browser) and show the app.
There is one initial user defined on the page, username "poster", password "poster". You can log in as this user and post new links to the page. All of the state is stored in the memory of the running application, so if you stop it and restart it, new posts you make will be lost.
Taking the role of a malicious ad company, your goals are to create ads that:
To simulate deploying real ads, you will create ads in the
ads/
directory distributed with the app. To get Post to
show your ad, change the file that the pick-ad
function
points to in serve.rkt
(it is the last line in the file).
Do this and restart the application to see the new ad deployed on the
site.
For example, if you save the following in
ads/hello-ad.html
:
< script> alert("hello!"); </script>And then change
pick-ad
to the following:
(define (pick-ad) (include-template "ads/hello-ad.html"))When you restart the app, you should immediately get an alert box that says "hello!".
Turn in four separate files, each containing one attack, along with a description of why the attack works.
ADsafe is a tool designed to allow pages to deploy ads securely.
It requires the cooperation of the ad writers to follow restrictions
on the ads they write. For this part of the assignment, first read
the documentation at www.adsafe.org to learn about the
library. Then, rewrite the sample ad we have provided so that it
passes JSlint with the ADsafe option on. Make sure that the ad is
still functional. You can find the sample ad in
ads/apply-ad.html
To check an ad with JSlint, you can visit jslint.org, put your ad into the text box there, select the "ADsafe" and "Tolerate HTML fragments" options, and click the "JSLint" button.
Submit the following files (another set is further down on the page):
Rewriting with AdSafe puts you in the shoes of the third-party ad-provider. Switch your perspective to that of the Post developers. Is Post truly safe from any ad that passes JSlint? What might make it be unsafe? Hint: Does it meet all the restrictions listed on the ADsafe page?
If you believe Post is not safe, provide an ad that
passes JSlint and performs any one of the four attacks from the first
part of the assignment. Then, fix Post so this new attack
cannot happen, and explain why your fix works. Hint:
Most commonly, the slipups that cause this kind of error are in
JavaScript files (.js
extensions)
Submit the following files:
For this assignment, we are only looking at security aspects of the Javascript code. Ignore any other kinds of security holes in Post.
In grading, we will be looking for whether your ads produce or prevent the desired attacks, and for technical accuracy and clarity in your written responses. Be precise in your written answers: if you claim that AdSafe prevents a certain kind of attack, articulate your reason in technical terms worthy of someone taking a senior-level CS course.
This assignment was developed by Joe Politz, a survivor of the first offering of this course who is now working on a PhD in programming languages and security at Brown University.