Lab - Cross-Site Scripting (XSS) Attack Lab
Lab Description and Tasks
- Lab Description: XSS Attack Lab.pdf
- Lab Setup files: Labsetup.zip
Additional information on the SEED project site.
- You must provide a screenshot of the network traffic with each attack.
Login information
| User | User Name | Password |
|---|---|---|
| Admin | admin | seedelgg |
| Alice | alice | seedalice |
| Boby | boby | seedboby |
| Charlie | charlie | seedcharlie |
| Samy | samy | seedsamy |
- Example of add a friend script: add-a-friend.js
- Example of update profile script: update-profile.js
History of Samy’s worm
- The MySpace Worm that Changed the Internet Forever
- https://samy.pl/myspace/
- Technical explanation of The MySpace Worm
- Cross-Site Scripting Worm Hits MySpace
- Cross-Site Scripting Worm Floods MySpace
- Video: MySpace Worm Animated Story
References
- Firefox Developer Tools
- HTTP Header Live Displays the HTTP header. Edit it and send it.
- The HTML <form> Element Reference
- XMLHttpRequest
- Using XMLHttpRequest
- Element.innerHTML gets or sets the HTML markup contained within the element.
- CSP Cheat Sheet
- XSS Filter Evasion
Examples
- https://hackerone.com/reports/106293
- https://hackerone.com/reports/104359
- https://klikki.fi/yahoo-mail-stored-xss
- https://mahmoudsec.blogspot.com/2015/09/how-i-found-xss-vulnerability-in-google.html
- http://strukt93.blogspot.com/2016/07/united-to-xss-united.html
Grading
Post your report in Marmoset by the scheduled due date in the syllabus. Your grade for this lab will be composed of:
- 30% - Design
- 30% - Observations
- 40% - Explanation
- Extra Credit if you pursue further investigation, beyond what is required by the lab description.
