Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScripts) into victim's web browser. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.

Lab Tasks

  • Update Notice: This lab description was newly updated on . If this update happened in the middle of your assignment, you can always get the old version from . The old version will phase out soon.
  • VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.

Recommended Time

  • Supervised situation (e.g. a closely-guided lab session):
  • Unsupervised situation (e.g. take-home project):


Files that are Needed

  • File for the CSP experiment: csp.zip


  • Since May 5 2019, the Firefox Add-on "HTTP Header Live" has been disabled by Firefox, Mozilla verifies and signs add-ons that follow a set of security guidelines (link). The version of HTTP Header Live (v 0.6 - Last Updated April 9, 2018) installed on the VM does not comply with this security guideline, so it was automatically disabled. The issue can be easily resolved by installing the latest version of HTTP Header Live (v - Last Updated May 25, 2019).

Suggested Reading

  • SEED Book by Wenliang Du (Book website) (Chinese version)


SEED Books

SEED Lectures