There are two separate deliverables for this project, each due at midnight (via web-Turnin) at the end of the specified date:
The zipped assignment bundle (revised 3 Oct. at 1pm; current size 63K) contains our sample application, called Post. Post is implemented in Racket, which is required to run the application. (Racket is the new name for DrScheme. You will need the current Racket version to run Post).
To run Post, unpack the bundle, change to the
post directory, and run
prompt% racket start.rktThis should start the web server with a message like:
our Web application is running at http://localhost:8000/post. Stop this program at any time to terminate the Web Server.and also load this URL into your browser and show the app.
There is one initial user defined on the page, username "poster", password "poster". You can log in as this user and post new links to the page. All of the state is stored in the memory of the running application, so if you stop it and restart it, new posts you make will be lost. Be sure to maintain them as files in your file system.
Taking the role of a malicious ad company, your goals are to create ads that:
To simulate deploying real ads, you will create ads in the
ads/ directory distributed with the app. To get Post to
show your ad, change the file that the
points to in
serve.rkt (it is the last line in the file).
Do this and restart the application to see the new ad deployed on the
For example, if you save the following in
< script> alert("hello!"); </script>And then change
pick-adto the following:
(define (pick-ad) (include-template "ads/hello-ad.html"))When you restart the app, you should immediately get an alert box that says "hello!".
Turn in four separate files, each containing one attack, along with a description of why the attack works.
ADsafe is a tool designed to allow pages to deploy ads securely.
It requires the cooperation of the ad writers to follow restrictions
on the ads they write. For this part of the assignment, first read
the documentation at www.adsafe.org to learn about the
library. Then, rewrite the sample ad we have provided so that it
passes JSlint with the ADsafe option on. Make sure that the ad is
still functional. You can find the sample ad in
To check an ad with JSlint, you can visit jslint.org, put your ad into the text box there, select the "ADsafe" and "Tolerate HTML fragments" options, and click the "JSLint" button.
Submit the following files (another set is further down on the page):
Rewriting with AdSafe puts you in the shoes of the third-party ad-provider. Switch your perspective to that of the Post developers. Is Post truly safe from any ad that passes JSlint? What might make it be unsafe? Hint: Does it meet all the restrictions listed on the ADsafe page?
If you believe Post is not safe, provide an ad that
passes JSlint and performs any one of the four attacks from the first
part of the assignment. Then, fix Post so this new attack
cannot happen, and explain why your fix works. Hint:
Most commonly, the slipups that cause this kind of error are in
Submit the following files:
In grading, we will be looking for whether your ads produce or prevent the desired attacks, and for technical accuracy and clarity in your written responses. Be precise in your written answers: if you claim that AdSafe prevents a certain kind of attack, articulate your reason in technical terms worthy of someone taking a senior-level CS course.
This assignment was developed by Joe Politz, a survivor of the first offering of this course who is now working on a PhD in programming languages and security at Brown University.