XSS - Laboratory for Computer Security Education 1...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Cross-Site Scripting (XSS) Attack Lab Copyright c ± 2006 - 2009 Wenliang Du, Syracuse University. The development of this document is funded by the National Science Foundation’s Course, Curriculum, and Laboratory Improvement (CCLI) program under Award No. 0618680 and 0231122. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license can be found at http://www.gnu.org/licenses/fdl.html. 1 Overview Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web-based message board using phpBB . We modified the software to introduce an XSS vulnerability in this mes- sage board; this vulnerability allows users to post any arbitrary message to the board, including JavaScript programs. Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers’ goal is to post forged messages for the victims. 2 Lab Environment In this lab, we will need three things: (1) the Firefox web browser, (2) the apache web server, and (3) the phpBB message board web application. For the browser, we need to use the LiveHTTPHeaders exten- sion for Firefox to inspect the HTTP requests and responses. The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extensions. The apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands: % sudo apache2ctl start or % sudo service apache2 start The phpBB web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts in the phpBB server. The password information can be obtained from the posts on the front page. You can access the phpBB server using the following URL (the apache server needs to be started first): http://www.xsslabphpbb.com This URL is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name ( www.xsslabphpbb.com ) to the virtual machine’s local IP address ( 127.0.0.1 ). You may map any domain name to a particular IP address using the
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 8

XSS - Laboratory for Computer Security Education 1...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online