Assignment: Cross-site scripting (XSS) Attacks

Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim's web browser.

Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what SamyKamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.

Environment setup for the problem:

For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under "Special Software Installation Requirements".

We will need the following:

• Firefox web browser
• Apache web server
• Elgg web application

For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the "Tools" menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension.

The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:

% sudo apache2ctl start

or

% sudo service apache2 start

The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password):

admin, seedelgg
alice, seedalice
boby, seedboby
charlie, seedcharlie
samy, seedsamy

You can access the Elgg server using the following URL (the Apache server needs to be started first):

(this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name to the virtual machine's local IP address 127.0.0.1).

Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window.

Note: Some of the project tasks require some basic familiarity with JavaScript. Wherever necessary, we provide a sample JavaScript program to help you get started.

i. Posting a Malicious Message to Display an Alert Window

The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window:

If you embed the above JavaScript code in your Profile (e.g. in the brief description field), then any user
who views your profile will see the alert window.

What you need to do:

1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which has the following text will open:

XSS attack by

2. Logout and login as user Boby, and then select user Alice from "More => Members" in the Elgg menu.

3. Include in your project document a screen printout with this alert window.

ii. Posting a Malicious Message to Display Cookies

The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the user's cookies will be displayed in the alert window. This can be done by adding some additional code to the JavaScript program in the previous task:

Hello Everybody,
Welcome to this message board.

When a user views this message post, he/she will see a pop-up message box that displays the cookies of the user.

What you need to do:

1. Login as user Alice and change the "Brief description" field in your Profile such that an alert window which contains the user's cookies will open.

2. Logout and login as user Charlie, and then select user Alice from "More => Members" in the Elgg menu.

3. Include in your project document a screen printout with this alert window.

iii. Stealing Cookies from the Victim's Machine

In the previous task, the malicious JavaScript code can print out the user's cookies; in this task, the attacker wants the JavaScript code to send the cookies to himself/herself. To achieve this, the malicious JavaScript code needs to send an HTTP request to the attacker, with the cookies appended to the request.

We can do this by having the malicious JavaScript code insert an tag with its src attribute set to a URL on the attacker's website. When the JavaScript inserts the tag, the browser tries to load the image from the mentioned URL and in the process ends up sending a HTTP GET request to the attacker's website. The JavaScript given below sends the cookies to port 5555 of the attacker's machine, where the attacker has a TCP server listening to the same port. The server can print out whatever it receives. The TCP server program is available on the course website.

Hello Folks,

This script tests an XSS attack.

What you need to do:

1. Download, un-compress (it's a TAR archive, use 'tar xvf' to un-compress) and compile the TCP server program (compile using the command make). The server can be found as file echoserv.tar under the Moodle forums post for Project 2. Run this server on port 5555.

2. Login as user Samy and change the "About me" field in your Profile such that the cookies of whoever is viewing Samy's profile will be sent to the attacker's TCP server (you need to replace 'attacker_IP_address' in the script above with the appropriate value). When editing the "About me" field, select the "Remove editor" option to avoid automatic re-formatting of your text.

3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu.

4. Include in your project document:

a. a screen printout with the text printed by the TCP server.
b. the JavaScript script you used in step 2 above.

Format your assignment according to the following formatting requirements:

1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.

2. The response also include a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.

3. Also Include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.