Due Date: November 25, 2014, 5pm

Part 1: Breaking Web Applications


The goal of this lab is to gain hands-on experience with penetration testing of web applications.

For this part of the lab, you are presented with three different scenarios. Each scenario asks you to perform a task you would not otherwise be able to complete as a regular, benign user. You'll have to figure out what vulnerability exists in each challenge, apply what you've learned in class, and craft a special payload to achieve your goal.

Note that protection tools that are built into the browser may interfere with this assignment. You advise that you turn off tools like Chrome's XSSAuditor and IE's XSS Filter.

Scenarios 1--3 are listed below. They add up to a total of 27 points and 15 extra credit points.

Scenario #1: Pikachu, Meowth, and Cookies

Premise: Everyone likes cookies, and Pikachu and Meowth are no exceptions. As Team Rocket's 27182818284th evil plan, Meowth is going to purchase all the cookies that's within Pikachu's reach so Pikachu would eventually surrender and give himself in. But Team Rocket cannot win.

Having eavesdropped on their conversation, you learned that Team Rocket keeps the cookies they bought in 8 different safes and store the combinations to each of the safes in 8 different cookies Meowth carries with him. You also learned that Meowth set up a website to facilitate communications with his fans (if any). With these in mind, you want to find a way get Pikachu some cookies back before he faints from a lack of cookies... but how?

Problem Points
74 (optional)
83 (optional)

Scenario #2: Jailbreak

Premise: You have been put jailed due to false conviction. You have no one to depend on, and the only way you can eat that University Teriyaki again is to jailbreak. Physical locks are for the weak; as a former Jedi, you can easily break them with the Force. What bothers you are the digital locks that are connected to a central database. But then, some materials you've learned from CSE 484 flashed before you...

Problem Points
35 (optional)

Scenario #3: Hack your 4.0

Having joined CSE 484, you realized a sad truth: there's no way you can get a 4.0 for the class. You've learned that the seemingly nice and friendly CSE 484 TAs have no mercy and routinely fail students as a hobby, and that the only way to get a good grade is to surreptitiously hack into the gradebook and change your own grade.

However, your CSE 484 TAs are like no others; there's no way their web site can be vulnerable to any attacks, or so they say...

Problem Points
23 (optional)

Where to start

Visit and start hacking!

Part 2: Creating a Sanitizer

While we have spent a lot of time breaking software, in this part of the lab we will see what it takes to creates a tough-to-break piece of code. In our case, a sanitizer. The goal of this part of the lab is to create an HTML sanitizer in JavaScript. This is a function that takes a string and outputs a string. Let's call this function sanitize. This function should be usable in the HTML context like this:

            var div = document.getElementById('mydiv');
            div.innerHTML = sanitize(untrustedInput);

Here are some sample input/output pairs to build-up your intuition:

Input Output
<div style='background:black;'>hello</div>
<b onclick='f();'>hello</b>
<b style="font-family: 'Consolas', monospace">hello</b>

It is important to preserve the following two properties:

It is not as important how you deal with convoluted broken inputs like <i><b>hello</i></b>. Below are some more complex cases:

Input Output
<b>hello</b> or hello
<b>hello</b> or hello
<i><b>hello</b></i> or <i><hello</i> or hello
< b>hello</b>

Note that possible script execution block like script and other similar tags are to be filtered out. No attributes should be preserved, either. Of course, you cannot elimiate all your input either -- a function that returns the empty string all the time won't fly here. To get more experience with HTML sanitizers, you may wish to play with HTMLPurifier located here. Think carefully about the strategy to employ.


Your job is to write this function entirely in JavaScript. The top-level function should be called sanitize.

      function sanitize(input) {
         // your logic goes here
         return ...;

Of course, you can create helper functions as well as part of your solution. However, you're not supposed to use any external libraries: all code should be written by you from scratch. There are different approaches to creating a robust solution here.


You will need to submit a file called {YOUR-CSE-ID}.js to the dropbox here. This is the same dropbox you used for the repvious assignment. Please explain your strategy and approach in a block comment /* ... */ at the top of the file. Please make sure your explaination is no more than 10 lines long but summarizes your approach well.

Evaluation and Grading

We will grade this assignment in part by running test cases against your function. Your function should process all the cases above correctly. However, we're likely to run test cases other that the ones above against your function to test how robust it is. This part of the lab is graded out of 20 points.