Exercise 04, Taks 2, Grading

Question

In exercise 04, Task 2 all my solutions were marked as wrong because i interpreted the task to be to replace the "PAYLOAD" in the php files with our Payload, which lead to the simplest possible attack to work every time. This seemed suspicious to me when doing them, but i did not further question it. After todays tutorial i can now see how the task was intended to be read, but i dont find that to be clear from the task description alone.
It is very frustrating to loose points like this.
Additionally to of my solutions for task 1 were marked as wrong because successfully evading the filters apparently isnt worth points if you use it to insert an "onmouseover" instead of an "onload" as the autograder doesnt mouseover anything, but ive already been told that there is little hope for any change of mind regarding these points. In total this makes for a very annoying experience of having to figure out what exactly your grader expects instead of actually focussing on the task at hand.
Kind, but slightly annoyed regards, Martin

Answer 1

Let me first address your general feedback, then I will talk about your misunderstandings of the tasks.

but ive already been told that there is little hope for any change of mind regarding these points.

Yes, as explained in the first tutorial, exact inputs are required for attacks to work in real life, so they are also required for our homework. Additionally, checking 200+ homeworks each week for small mistakes of each student is not feasible.

In total this makes for a very annoying experience of having to figure out what exactly your grader expects instead of actually focussing on the task at hand.

Again, as explained in the first tutorial, if you are not sure what to submit for a task you should use the forum before submitting your solution. Other students have done so for this exact exercise, see https://websec.q2a.cs.uni-paderborn.de/19/questions-regarding-exercise-4 and https://websec.q2a.cs.uni-paderborn.de/28/your-announcement-said-this-only-works-other-questions-tasks and I hope I could solve their confusion with the task. I do try to be helpful you know ;)

Similarly, another student has asked me in the tutorials how certain parts of the homework have to be interpreted. That is of course also ok.

i interpreted the task to be to replace the "PAYLOAD" in the php files with our Payload
but i dont find that to be clear from the task description alone.

The task is called “XSS Pentest”. How is changing a website's code an XSS? There is no cross-site part to that, just a developer implementing an alert.

Additionally, the files themselves prompt you to use the query parameters, the hint in a) tells you that the query parameters are relevant, and the submission requires you to submit a URL query.

task 1 were marked as wrong because successfully evading the filters apparently isnt worth points if you use it to insert an "onmouseover"

The task states “execute alert [...] upon pressing the Purchase button”. After the request was send (i.e. pressing the Purchase button), the alert should be run. With an onmouseover this is not the case, and thus the task was not successful.

Comments

I understand your reasoning, but that sadly does not make this less of an annoying mess.
I could argue with you over most of the points made here, but that would seperate this conversation even further from the course material.