CS142 Project #8: SQL Injection Attack

Problem 1: The Attack (30 points)

Netslip, the high-flying new entrant in the Internet DVD rental business, was rapidly taking market share from NetFlix when it was struck by an SQL injection attack. A band of Internet criminals from South Hackland extracted details of more than 200,000 credit cards from the Netslip database, resulting in thousands of identity thefts and millions of dollars in fraudulent purchases. Faced with a class-action lawsuit and (even worse) bad publicity, Netslip was forced to shut down.

Fortunately, we were able to obtain a few fragments of the original Netslip Web site for this project. Download netslip.zip and extract its contents into a directory named netslip. This directory contains a Rails-based application that you can run in the usual Rails fashion. Start up the application and go to the URL http://localhost:3000/movies/selectGenre. From this URL you can explore the remains of the Netslip Web site. It may also be useful to look through the Rails code that implements the site. The site contains several features designed to thwart attacks, but unfortunately it also contains a gaping loophole. Your first task is to identify that loophole.

Once you have identified the loophole, write a Ruby program cardInfo.rb that exploits the loophole to extract credit card information from the site. Your program should connect to the site via HTTP, extract the data using normal HTTP requests, and print out the following information for each credit card stored in the database:

You should print the above information in a legible form, with labels; dumping the raw HTML to the output is not sufficient. You should not make any modifications to the Web site while creating your attack. We will test your solution with a "clean" server: we will stop the server and invoke

rake db:migrate:reset

to clear and reload the database (which will also clear any existing sessions). Then we will restart the server and invoke the following command:

ruby cardInfo.rb

You may find the following information useful when writing your program:

In writing your program you may not use any existing packages or programs for implementing the HTTP protocol, managing cookies, etc. You must implement the protocol yourself using only generic I/O methods such as puts and gets.

Problem 2: The Fix (10 points)

Modify the Netslip server to eliminate the loophole that you have exploited. Look for the simplest possible change that eliminates the problem in a safe fashion.


Use the standard class submission mechanism to submit cardInfo.rb and any files that you changed in Problem 2. In addition, submit a file explanation that contains a brief explanation of the security loophole and how you fixed it.