Cookies and cross-site scripting (XSS)

File: hacking/xss.pdf or .txt

You may work solo or with a partner for this assignment.

To help you explore cookies and Cross-Site Scripting (XSS), I have developed a low-featured-and-terribly-insecure discussion forum: the "Fake Discussion Forum (FDF)" at http://cs338.jeffondich.com/fdf/. For this assignment, you'll run through a couple simple exercises and answer a few questions along the way.

I suspect that some of the questions below are easiest to answer using a screenshot or two. Don't hesitate to use screenshots to help clarify your findings.

Part 1: Cookies

1. Go to FDF and use your browser's Inspector to take a look at your cookies for cs338.jeffondich.com. Are there cookies for that domain? What are their names and values?

2. Using the "Theme" menu on the FDF page, change your theme to red or blue. Look at your cookies for cs338.jeffondich.com again. Did they change?

3. Do the previous two steps (examining cookies and changing the theme) using Burpsuite (either on your base OS or on Kali). What "Cookie:" and "Set-Cookie:" HTTP headers do you see? Do you see the same cookie values as you did with the Inspector?

4. Quit your browser, relaunch it, and go back to the FDF. Is your red or blue theme (wherever you last left it) still selected?

5. How is the current theme transmitted between the browser and the FDF server?

6. When you change the theme, how is the change transmitted between the browser and the FDF server?

7. How could you use your browser's Inspector to change the FDF theme without using the FDF's Theme menu?

8. How could you use Burpsuite's Proxy tool to change the FDF theme without using the FDF's Theme menu?

9. Where does your OS (the OS where you're running your browser and Burpsuite, that is) store cookies? (This will require some internet searching, most likely.)

Part 2: Cross-Site Scripting (XSS)

Steps to take:

• Login to the FDF as Alice (alice@example.com, password: alice) or Bob (bob@example.com, password: bob) or Eve (go ahead, guess her email and password!).

• Make a post and view your post by clicking on its title in the list of posts at the bottom of the page.

• Go back to the FDF home page.

• Click on each of Moriarty's posts and pay attention. What happens?

• Study the source code of each of Moriarty's posts. It's shown on the post details page itself, but you should also right-click on the background and select View Page Source to take a look at the raw HTML. Or, alternatively, you can select the Elements tab in the browser Inspector and take a look at the source. Regardless, your goal is to figure out how Moriarty made the FDF behave surprisingly.

• Experiment making your own posts as Alice, Bob, or Eve. Make the title descriptive of what you're trying to do, but fool around in the the post body however you want to. (If you're unfamiliar with HTML, CSS, and Javascript, you may want to grab a classmate who knows about those things to help you implement your nefarious plans.)

Questions:

1. Provide a diagram and/or a step-by-step description of the nature and timing of Moriarty's attack on users of the FDF.

2. Describe an XSS attack that is more virulent than Moriarty's "turn something red" and "pop up a message" attacks. Think about what kinds of things the Javascript might have access to via Alice's browser when Alice views the attacker's post.

3. Do it again: describe a second attack that is more virulent than Moriarty's, but that's substantially different from your first idea.

4. What techniques can the server or the browser use to prevent what Moriarty is doing?

What to hand in

Hand in answers to the questions the lettered items in Part 1: Cookies and Part 2: Cross-Site Scripting. Try to be as clear and concise as possible.