CS 4401 (A11): Software Security Engineering
Project 4: AdSafe

Companies often want to include third-party content in their sites (advertisements and job postings are two common cases). Including third-party code naively opens the host site up to various attacks. There are several proposals for layers atop Javascript to allow third-party content to be included safely. This assignment has you work with one of these proposals (Yahoo's AdSafe language). We have written a skeleton application that accepts third-party ads. You will first write ads in raw Javascript to show how to attack our application, then you will rewrite the ads in AdSafe and explain how the AdSafe restrictions prevent the attacks.

There are two separate deliverables for this project, each due at midnight (via web-Turnin) at the end of the specified date:

Setup

The zipped assignment bundle (revised 3 Oct. at 1pm; current size 63K) contains our sample application, called Post. Post is implemented in Racket, which is required to run the application. (Racket is the new name for DrScheme. You will need the current Racket version to run Post).

To run Post, unpack the bundle, change to the post directory, and run

prompt% racket start.rkt
This should start the web server with a message like:
our Web application is running at http://localhost:8000/post.
Stop this program at any time to terminate the Web Server.
and also load this URL into your browser and show the app.

There is one initial user defined on the page, username "poster", password "poster". You can log in as this user and post new links to the page. All of the state is stored in the memory of the running application, so if you stop it and restart it, new posts you make will be lost. Be sure to maintain them as files in your file system.


For the raw Javascript deadline: Attacking a Defenseless Site

Taking the role of a malicious ad company, your goals are to create ads that:

  1. Five seconds after the page loads, redirect the user to http://www.bing.com
  2. Change all the links on the page to point to http://www.bing.com
  3. Post a new link to http://www.bing.com, with the description "Better search engine!"
  4. Steal a user's password when they click the "Log In" button

To simulate deploying real ads, you will create ads in the ads/ directory distributed with the app. To get Post to show your ad, change the file that the pick-ad function points to in serve.rkt (it is the last line in the file). Do this and restart the application to see the new ad deployed on the site.

For example, if you save the following in ads/hello-ad.html:

< script> alert("hello!"); </script>
And then change pick-ad to the following:
(define (pick-ad)
  (include-template "ads/hello-ad.html"))
When you restart the app, you should immediately get an alert box that says "hello!".

Turn in four separate files, each containing one attack, along with a description of why the attack works.


For the AdSafe deadline: Rewriting ads, analysis, and security audit

ADsafe is a tool designed to allow pages to deploy ads securely. It requires the cooperation of the ad writers to follow restrictions on the ads they write. For this part of the assignment, first read the documentation at www.adsafe.org to learn about the library. Then, rewrite the sample ad we have provided so that it passes JSlint with the ADsafe option on. Make sure that the ad is still functional. You can find the sample ad in ads/apply-ad.html

A sample bare ADsafe widget can be found here.

To check an ad with JSlint, you can visit jslint.org, put your ad into the text box there, select the "ADsafe" and "Tolerate HTML fragments" options, and click the "JSLint" button.

Submit the following files (another set is further down on the page):

  1. apply-ad-adsafe.html — your modified ad that passes JSlint
  2. README-rewrite.txt — answers to the following questions: do your exploits from the first part of the assignment work on a page that uses ADsafe? What about the architecture of ADsafe is stopping you?

Rewriting with AdSafe puts you in the shoes of the third-party ad-provider. Switch your perspective to that of the Post developers. Is Post truly safe from any ad that passes JSlint? What might make it be unsafe? Hint: Does it meet all the restrictions listed on the ADsafe page?

If you believe Post is not safe, provide an ad that passes JSlint and performs any one of the four attacks from the first part of the assignment. Then, fix Post so this new attack cannot happen, and explain why your fix works. Hint: Most commonly, the slipups that cause this kind of error are in JavaScript files (.js extensions)

Submit the following files:

  1. new-attack.html — A file containing the new attack (if you you find more than one attack, submit files new-attack1.html, ...)
  2. Updated versions of any files you needed to change for your fix
  3. README-audit.txt — A description of what you needed to fix and why


Grading

For this assignment, we are only looking at security aspects of the Javascript code. Ignore any other kinds of security holes in Post.

In grading, we will be looking for whether your ads produce or prevent the desired attacks, and for technical accuracy and clarity in your written responses. Be precise in your written answers: if you claim that AdSafe prevents a certain kind of attack, articulate your reason in technical terms worthy of someone taking a senior-level CS course.


Credits

This assignment was developed by Joe Politz, a survivor of the first offering of this course who is now working on a PhD in programming languages and security at Brown University.


Course homepage