ADsafe and Web Sandboxes
Complete this assignment with the same team you worked with for Types (Written). You and your partner must each understand the answers to all the problems, so don't just split up the work.
Companies often want to include third-party content in their sites (advertisements and job postings are two common cases). Including third-party code naively opens the host site up to various attacks. There are several proposals for layers atop Javascript to allow third-party content to be included safely. This assignment has you work with one of these proposals (Yahoo's AdSafe language). We have written a skeleton application that accepts third-party ads. You will first write ads in raw Javascript to show how to attack our application, then you will rewrite the ads in AdSafe and explain how the AdSafe restrictions prevent the attacks.
Setup
The assignment
bundle contains our sample application, called Post.
To run Post, unpack the bundle, change to the
post
directory, and run
> racket start.rktThis should start a Racket web server, open your browser, and show the app.
There is one initial user defined on the page, username "poster", password "poster". You can log in as this user and post new links to the page. All of the state is stored in the memory of the running application, so if you stop it and restart it, new posts you make will be lost.
Attacking a Defenseless Site
Taking the role of a malicious ad company, your goals are to create ads that:
- Five seconds after the page loads, redirect the user to http://www.bing.com
- Change all the links on the page to point to http://www.bing.com
- Post a new link to http://www.bing.com, with the description "Better search engine!"
To simulate deploying real ads, you will create ads in the
ads/
directory distributed with the app. To get Post to
show your ad, change the file that the pick-ad
function
points to in serve.rkt
(it is the last line in the file).
Do this and restart the application to see the new ad deployed on the
site.
For example, if you save the following in
ads/hello-ad.html
:
<script> alert("hello!"); </script>And then change
pick-ad
to the following:
(define (pick-ad) (include-template "ads/hello-ad.html"))When you restart the app, you should immediately get an alert box that says "hello!".
Turn in three separate files, each containing one attack, along with a description of why the attack works.
- ad-redirect.html
- ad-links.html
- ad-post.html
Rewriting ads, analysis, and security audit
ADsafe is a tool designed to allow pages to deploy ads securely.
It requires the cooperation of the ad writers to follow restrictions
on the ads they write. For this part of the assignment, first read
the documentation at www.adsafe.org to learn about the
library. Then, rewrite the sample ad we have provided so that it
passes JSlint with the ADsafe option on. Make sure that the ad is
still functional. You can find the sample ad in
ads/apply-ad.html
To check an ad with JSlint, you can visit jslint.org, put your ad into the text box there, select the "ADsafe" and "Tolerate HTML fragments" options, and click the "JSLint" button.
Submit the following files (another set is further down on the page):
- apply-ad-adsafe.html - your modified ad that passes JSlint
- README-rewrite.txt - answers to the following questions: do your exploits from the first part of the assignment work on a page that uses ADsafe? What about the architecture of ADsafe is stopping you?
Rewriting with AdSafe puts you in the shoes of the third-party ad-provider. Switch your perspective to that of the Post developers. Is Post truly safe from any ad that passes JSlint? What might make it be unsafe? Hint: Does it meet all the restrictions listed on the ADsafe page?
If you believe Post is not safe, provide an ad that passes
JSlint and performs any one of the three attacks from the first part
of the assignment. Then, fix Post so this new attack cannot
happen, and explain why your fix works. Hint: Most commonly,
the slipups that cause this kind of error are in JavaScript files
(.js
extensions)
Submit the following files:
- One of:
- no-attacks.txt - A file describing why the site doesn't break ADsafe's containment;
- new-attack.html - A file containing the new attack (if you you find more than one attack, submit files new-attack1.html, ...), along with fixes to Post and a description of what was broken.
Handin
A single member of your team should handin the assignment. From the directory containing the files for the assignment you wish to hand in, execute
/course/cs173/bin/cs173handin websand