LAB 12

/ #computer science homework help, #LAB 12


Lab 12: XSS, SQL Injection, and CSRF Attacks

Credits

In Lab 12, you will exploit vulnerable web applications created by SEED Labs.

Seed Labs have been created and maintained by Wenliang Du, Syracuse University. The development of the labs was partially funded by the National Science Foundation under Award No. 1303306 and 1318814.

Introduction

OWASP maintains Top 10 Web Application Security Risks since 2003. The last update on the list was made in 2017. XSS and injections have been in the list since the creation.  The injection has been in the first order in the 2013 and 2017 versions.  CSRF was on the list in the 2013 version and dropped from the list in the 2017 version.

In this lab, you will exploit vulnerabilities in web applications by performing XSS, SQL injection, and CSRF attacks.

XSS and SQL injections labs will be graded. CSRF lab is optional.

Resources

SEED Lab Instructions

Download the lab instructions.

XSS Lab:

https://seedsecuritylabs.org/Labs_16.04/PDF/Web_XSS_Elgg.pdf

SQL Injection Lab:

https://seedsecuritylabs.org/Labs_16.04/PDF/Web_SQL_Injection.pdf

CSRF Lab:

https://seedsecuritylabs.org/Labs_16.04/PDF/Web_CSRF_Elgg.pdf

Youtube Lessons

The following Youtube lessons can guide you through the SEED Lab instructions shared above. Recommended for those who need more clarifications on the topics.

XSS Lab:

https://www.youtube.com/watch?v=sFSq6dsDGzA

SQL Injection Lab:

https://www.youtube.com/watch?v=_P8HCLkDInA

CSRF Lab:

https://www.youtube.com/watch?v=iY74zUB6Mpk

Lab Environment

Use Franklin University’s netlab environment to complete the lab. Please refer to the Netlab Reservation Instructions.

Instructions

Explore an XSS attack

  1. Click on the “SEED”.

 

  1. Open the Firefox browser.
  2. Click on the “Sites for Labs” folder on the bookmarks bar.
  3. Click the “XSS Lab Site” shortcut which will load the vulnerable web application: www.xsslabelgg.com
  4. Login with the credentials: samy as username and seedsamy as the password

 

Think about this scenario:

  • xsslabelgg.com is a social media or e-commerce platform. Members have public profiles, and they can see each other’s profiles.
  • Samy (You) is a malicious actor. Samy wants to steal session cookies from other members and to change their profiles. You will perform a proof of concept XSS attack in this lab.
  • This attack will not allow you to change other user’s profiles; however, the mechanisms of doing this will be the same and a matter of writing a different code. If you want to change other user’s profiles or even write an XSS worm, you can refer to XSS Lab instructions.

 

  1. Click on the small square at the top left corner to enter your profile on xsslabelgg.com.
  2. Click the Edit profile button below the user profile image.
  3. On the About me box, click Edit HTML link which will turn off the Visual Editor.
  4. Type this JavaScript code <script>alert(document.cookie)</script> as shown below.

 

  1. Click Save.

 

Think about this scenario:

  • Alice (victim) visits the profile of Samy. (Samy may send the URL of his profile to Alice. There are many ways of distributing this “malicious” website.)
  • As easy as Alice visits the Samy’s profile, she will be the victim of this XSS attack.

 

  1. Log out from Samy’s account.
  2. Log in to the platform by using Alice’s account. Username: alice; Password: seedalice
  3. Visit the profile of Samy. Take a screenshot of the alert box.
  4. Log in to the platform by using another member’s account. Username: boby; Password: seedboby
  5. Visit Samy’s profile. Take a screenshot of the alert box.

 

Explore a SQL Injection attack

  1. Open another Firefox browser on SEED virtual machine.
  2. Click on the “Sites for Labs” folder on the bookmarks bar.
  3. Click the “SQL Injection Site” shortcut which will load the URL seedlabsqlinjection.com
  4. Refer to the SQL Injection Lab instructions. Analyze the code snippet showing how users are authenticated in this document (Page 3-4)
  5. Complete Task 2.1 at the page 4 of the SEED Lab Instruction. Take a screenshot of the screen that shows the information of all employees.
  6. If you need a hint, contact your professor.

Questions

  1. Submit screenshots.
  2. Summarize what you’ve done in the XSS lab as if you are explaining it to a non-technical person. Describe at least one method that prevent XSS attacks.
  3. Which part of the code snippet causes the SQL injection attack? How do you fix the SQL injection vulnerability on seedlabsqlinjection.com login page?