Web Security

Submission Deadline:

The goals of this assignment are to:

  1. Identify and exploit code injection vulnerabilities in web applications
  2. Bypass state-of-the-art web application defenses

Vulnerable Web Application

Identify an XSS vulnerability in the (updated) HuskyCoin website. Exploit this vulnerability to obtain cookies from victims who visit the site. Leak these cookies to http://example.com. The source code for this application can be found on GitLab, and the application is also available as a Docker image.

Extra Credit

Identify and exploit a vulnerability to leak all emails submitted to the site.

Submission Instructions

Create a GitLab repository at ${your_gitlab_user}/web. The latest commit on master will be considered your submitted solution. Push your code and include a /Dockerfile that will execute your exploit given the URL of a HuskyCoin instance using the ENTRYPOINT Dockerfile directive. Finally, commit a /README.md that describes the vulnerability and your attack.

If submitting for extra credit, include the code, a separate /Dockerfile.extra_credit with the same interface as above, and describe the vulnerability and how you exploited it. Your Docker image should print each email on a separate line to stdout.