Course Hero Logo

5734697_1625309252_1351645816325 (1).pdf - GT CS 6262:...

Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 1 - 4 out of 16 pages.

GTCS 6262: Network SecurityProject3: Advanced WebSecuritySpring 2022The latest Chrome browser is highly recommended for this projectObjectives1.Attack a web application by exploiting its XSS vulnerabilities to infect its users as persistently aspossible.2.Exploiting the XSS to launch a social engineering attack to trick a simulated user to give up itscredentials.3.Understand cookie management and how to secure your cookies.Due DatePlease refer to the Canvas assignment for how to submit your solution and due date.BackgroundAs a student of CS6262, you are invited to join the web security club. This club has an official websitefor sharing information and resources. As a prospective member, you need to deliver a pentestingreport on the website and provide patches on what you find as a qualification test first.The website is not complicated. It is a simple Content Management System with several featuresenabled, e.g. text search, dark mode, rich text editor, etc.The website is. It integrates the GT Single Sign On service, so pleasesign in with your GT account and it will create a user for you.Before getting your hands dirtyLet’s first have a feel of what the website looks like. When you typecs6262.gtisc.gatech.eduin yourbrowser (the latest Chrome is recommended), the image below is what you will get. It has two postsintroducing its features. In the following instructions, you will be guided through the whole project.
GTCS 6262: Network Security1.Sign in first.a.Click “Sign in”, the blue button on the top right corner. It will redirect you to Georgia Tech’slogin page.b.After sign-in, you will be directed to the homepage. At the top right corner, you can see yourusername and a dropdown list, which means you have successfully logged in. Read thepost of “Dark Mode Goes Live” to figure out how to use the theme feature.2.You should read through all the existing posts to find clues of how to exploit the XSS vulnerabilitiesof the website.3.The “My writeups” tabwill only return your submissions which can be used to see your submittedposts fortask 4.4.The “Console” tabis the testing tab that will help you simulate other users and admins, receivingmessages. And one task also resides in that page. This is useful when you need others to click on
GTCS 6262: Network Securityyour links.a.Message Receiver Endpointi.This section gives you an endpoint to send/receive messages. That is necessary forXSS attacks. Attackers usually steal cookies and send them to their endpoints.Youshould use the “POST” method to send messages to this endpoint. To view thereceived messages, click the link and refresh when you need to receive a new one.ii.This endpoint will be used fortask 4 and task 5.b.The User/Admin instance's running statustells the current running admin role and userroles. You can at most create one admin role and one user role.

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 16 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Spring
Professor
miss ayesha
Tags
IP address, World Wide Web, editor

Newly uploaded documents

Show More

Newly uploaded documents

Show More

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture