Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScripts) into victim's web browser.

To demonstrate what attackers can do, we have set up a web application named Elgg in our pre-built Ubuntu VM image. We have commented out some of Elgg's protection methods, intentionally making it vulnerable to XSS attacks. Students need to exploit the vulnerabilities to launch attacks in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.

Tasks (English) (Spanish)

• VM version: This lab has been tested on our SEED Ubuntu-20.04 VM
• Lab setup files
  • Labsetup.zip
  • Labsetup-arm.zip (for Apple Silicon machines)
• Manual:: Docker manual

Time (Suggested)

• Supervised (closely-guided lab session): 2 hours
• Unsupervised (take-home project): 1 week

SEED Videos

• Udemy: Web Security: A Hands-on Approach (§ 3)

SEED Books (English) (Chinese)

• Computer & Internet Security: A Hands-on Approach, 3rd edition (§ 13)
• Computer Security: A Hands-on Approach, 3rd edition (§ 13)
• Internet Security: A Hands-on Approach, 3rd edition (§ 23)

Feedback and Help