Cross-site scripting (XSS) Attacks
Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.
Environment setup for the problem:
For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under “Special Software Installation Requirements”.
We will need the following:
Firefox web browser
Apache web server
Elgg web application
For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the “Tools” menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension.
The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:
% sudo apache2ctl start
% sudo service apache2 start
The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password):
You can access the Elgg server using the following URL (the Apache server needs to be started first):
(this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name (www.xsslabelgg.com) to the virtual machine’s local IP address 127.0.0.1).
Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window.
Writing an XSS Worm
In this and next task, we will perform an attack similar to what Samy did to MySpace in 2005 (i.e., the Samy
Worm). First, we will write an XSS worm that does not self-propagate; in the next task, we will make it
self-propagating. From the previous task, we have learned how to steal the cookies from the victim.
This task consists of two independent sub-tasks.
i: XSS Worm that adds a friend
The objective of the attack in this subtask is to modify the victim’s profile and add Samy as a friend of the victim. To add a friend for the victim, we should first find out how a legitimate user adds a friend in Elgg.
More specifically, we need to figure out what is sent to the server when a user adds a friend. Firefox’s
LiveHTTPHeaders extension can help us (available under the “Tools” menu in Firefox); it can display the header and contents of any HTTP request message sent from the browser. From this, we can identify all the parameters in the request.
To learn how to use XMLHttpRequest, you can study these documents:
For this subtask, the worm program should do the following:
1. Create the correct request to add Samy to the friends list of the user who is executing the malicious code
2. Forge a HTTP GET request to add Samy as a friend.
//Construct the HTTP request to add Samy as a friend.
//Create and send Ajax request to add friend.
// The format of the request can be learned from LiveHttpHeaders.
Note that in this case the GET method is used to send the HTTP request.
What you need to do:
2. Login as user Samy and inject in the “About me” field of Samy’s profile the script from file task4-1.txt. (Make sure to select “Remove editor” before editing this field, in order to disable any automatic formatting)
4. Include in your project document:
a. a screen printout with Alice’s friends list after viewing Samy’s profile.