CS 231: Computer Security

A cross-site scripting (XSS) example

Nothing to hand in.

  1. Do a quick search to get a brief definition of cross-site scripting (XSS).
  2. Launch Safari on a Mac. Go to any page and right-click on any part of the page. If "Inspect Element" does not appear in the context menu, then go to Safari's Preferences, select the Advanced tab, and check the "Show Develop menu in menu bar" checkbox.
  3. Go to InsecureLand (hosted at thacker.mathcs.carleton.edu) and create an account. Use a stupid password that you wouldn't ever use in any other context. You don't want to share a good password with InsecureLand, after all.
  4. Look at your browser's cookies from thacker.mathcs.carleton.edu. What do you see?
  5. Change your password (to some other bad password) at InsecureLand and re-examine your cookies. Now what do you see?
  6. While logged in on InsecureLand, search for "moose". What results to you see?
  7. Search for "octopus". What results?
  8. Search for "<span style="color:red">octopus</span>". What do you see? What do you think the sever code is doing with your search string? (And can you play other weird HTML games with InsecureLand's search-failed error message?)
  9. Search for:
    goat<script>alert('Hello')</script>
    You should be told that InsecureLand can't find goat. Now, right-click on the page and select "Inspect Element". Once you do this, you should see a red exclamation point icon showing (at least) 1 error. Select that error. What does the element inspector tell you about the error? (If you don't see the error, try reloading the page or starting over in a new tab.)
  10. Disable the XSS Auditor by opening Terminal and executing the command
    defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool FALSE
    Relaunch Safari and try the goat/Hello search again. Now what happens?
  11. How is the XSS Auditor able to tell that the alert('Hello') should not be executed?
  12. Don't forget to execute
    defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool TRUE
    before you quit. The XSS Auditor is something you want to keep enabled.
  13. Can you come up with a search that would email your InsecureLand cookie to you? The answer may be no. But you may want to investigate how to send email via Javascript, or how to make an HTTP query via Javascript, which would enable you to invoke a web service that could in turn email the cookie to you. In any case, I'm asking you to describe a technique, not necessarily to implement it in full detail.
  14. Emailing your own password to yourself is not very interesting. But explain how you could use the search + Javascript technique above to obtain somebody else's password.
  15. Suppose we added a discussion forum to InsecureLand, so you could post arbitrary text as comments in various discussion threads. How would you go about doing harm to other users of InsecureLand via the discussion forum?
  16. Finally, take a look at the InsecureLand server-side source code, conveniently linked on the InsecureLand page.
    1. Does InsecureLand log or limit login attempts?
    2. How could you login without knowing any user name or password?
    3. In detail, what should InsecureLand's author do to close up the XSS security hole(s)?