Netslip, the high-flying new entrant in the Internet DVD rental business, was rapidly taking market share from NetFlix when it was struck by an SQL injection attack. A band of Internet criminals from South Hackland extracted details of more than 200,000 credit cards from the Netslip database, resulting in thousands of identity thefts and millions of dollars in fraudulent purchases. Faced with a class-action lawsuit and (even worse) bad publicity, Netslip was forced to shut down.
Fortunately, we were able to obtain a few fragments of the original
Netslip Web site for this project. Download
netslip.zip and extract its contents into a directory named
netslip. This directory
contains a Rails-based application that you can run in the usual
Rails fashion (you may need to invoke "bundle install"
to install Ruby Gems needed by the application). Start up the
application and go to the URL
http://localhost:3000/movies/selectGenre. From this URL
you can explore the remains of the Netslip Web site. It may also be
useful to look through the Rails code that implements the site.
The site contains several features designed to thwart attacks, but
unfortunately it also contains a gaping loophole. Your first task
is to identify that loophole.
Once you have identified the loophole, write a Ruby program
cardInfo.rb that exploits the loophole to extract
credit card information from the site. Your program should
connect to the site via HTTP, extract the data using normal
HTTP requests, and print out the following information for each
credit card stored in the database:
You should print the above information in a legible form, with labels; dumping the raw HTML to the output is not sufficient. You should not make any modifications to the Web site while creating your attack. We will test your solution with a "clean" server: we will stop the server and invoke
rake db:migrate:reset
to clear and reload the database (which will also clear any existing sessions). Then we will restart the server and invoke the following command:
ruby cardInfo.rb
You may find the following information useful when writing your program:
require 'socket' ... s = TCPSocket.open(host, port)
host is a string containing the
host name and port is the desired port number. The
require line must be at the top of your Ruby file.printf, puts, gets,
and read to read and write the socket.Content-Length: header in each
HTTP request. The value of this header must be the length in bytes
of the request body (everything after the blank line that
terminates the header section). Without this header the server
may reject the request.Host: header in each
HTTP request, whose value is the host name from the URL.
Without this header the server may reject the request.Connection: close; if you omit this header then the
server will keep the connection open an extra 30 seconds after
sending its response. Keeping the connection open is a good idea
in normal use by the browser, since it allows the browser to make
additional requests (e.g., for images) without the overhead of
opening a new connection for each item. However, for this project
keeping the connection open will cause a 30 second delay
in your program unless you write extra code to collect all
of the output without waiting for the server to close the
connection.
In writing your program you may not use any existing packages or
programs for implementing the HTTP protocol, managing cookies, etc.
You must implement
the protocol yourself using only generic I/O methods such as
puts and gets.
Modify the Netslip server to eliminate the loophole that you have exploited. Look for the simplest possible change that eliminates the problem in a safe fashion.
These points will be awarded if your Ruby code is clean and readable, and if your credit card output is easy to understand.
Use the standard class submission mechanism
to submit cardInfo.rb and any files that you changed
in Problem 2. In addition, submit a file explanation
that contains a brief explanation of the security loophole and
how you fixed it.