Cookies and cross-site scripting (XSS)

Nothing to hand in

Part 1: Cookies

  1. Open a browser (I'll assume Chrome) and go to http://cs338.jeffondich.com/cookies/. This is a fake discussion forum (FDF) site.

  2. Use the Settings/Preferences in your browser to take a look at your cookies for cs338.jeffondich.com. (You might have to search the internet to figure out where your browser hides the cookies interface.) Are there cookies for that domain? What are their names and values?

  3. Using the "Theme" menu on the FDF page, change your theme to red or blue. (Go ahead, complain about the "red" not really being red.)

  4. Look at your cookies for cs338.jeffondich.com again. Changed?

  5. Quit your browser, relaunch it, go back to the FDF. Is your red or blue theme (wherever you last left it) still selected?

  6. Right-click on the background of the page and select "Inspect" to open the developer tools. (I think this functionality is hidden pretty deep for MS Edge, which is why I'm assuming you're using Chrome.) You may see two panels--one with Elements, Console,... tabs and the other with Console, Issues,... and some reference to errors. Close the errors panel, since we won't be using it.

  7. In the developer tools, we want to see the HTTP request headers and response headers.

    • Select the Network tab
    • Reload the page (Cmd-R or Ctrl-R depending on your OS)
    • Click on cookies/ (i.e. the part of the original URL that loaded the FDF's home page HTML)
    • Select the Headers tab within the Network tab and scroll to view the request headers and response headers

  9. How is the current theme being transmitted between the browser and the FDF server?

  10. Play with the Theme menu and watch the cookies and HTTP headers change.

  11. Talk to a classmate: where are the cookies stored? How do they get saved? How do you think they are used to affect the behavior/appearance of the page?

Part 2: Cross-Site Scripting (XSS)

  1. Login to the FDF as Alice (alice@example.com, password: alice) or Bob (bob@example.com, password: bob).

  2. Make a post and view your post by clicking on its title in the list of posts at the bottom of the page.

  3. Go back to the FDF home page.

  4. Click on each of Moriarty's posts and pay attention. What happens?

  5. Study the source code of each of Moriarty's posts. It's shown on the post details page itself, but you should also right-click on the background and select View Page Source to take a look at the raw HTML. Or, alternatively, you can select the Elements tab in the Chrome developer tools and take a look at the source. Regardless, your goal is to figure out how Moriarty made the FDF behave surprisingly.

  6. Experiment making your own posts as Alice, Bob, or Moriarty. Make the title descriptive of what you're trying to do, but fool around in the the post body however you want to. (If you're unfamiliar with HTML, CSS, and Javascript, you may want to grab a classmate who knows about those things to help you implement your nefarious plans.)

  7. Grab a classmate and explain to each other the sequence of events that could lead to Moriarty stealing Alice or Bob's cookie values. Also, discuss the nature of the vulnerability in the FDF server itself that enables Moriarty to mess with it in this way.

  8. How might the server or the browser prevent what Moriarty is doing?

Reflect a little

What lessons and techniques was this lab trying to get across? What did you learn? What would you like to learn next about these topics?