This document describes tasks to perform cross-site scripting (XSS) attacks on an Elgg social media site. Task 1 demonstrates embedding JavaScript in a profile to display an alert popup to other users viewing that profile. Task 2 displays the victim's browser cookies in an alert. Task 3 steals the victim's cookies by sending them to the attacker's computer. Task 4 modifies the victim's profile by forging HTTP requests without attacker intervention. Task 5 further modifies profiles depending on the visiting user. Task 6 creates a self-propagating XSS worm that modifies profiles and spreads itself to other users.
This document describes tasks to perform cross-site scripting (XSS) attacks on an Elgg social media site. Task 1 demonstrates embedding JavaScript in a profile to display an alert popup to other users viewing that profile. Task 2 displays the victim's browser cookies in an alert. Task 3 steals the victim's cookies by sending them to the attacker's computer. Task 4 modifies the victim's profile by forging HTTP requests without attacker intervention. Task 5 further modifies profiles depending on the visiting user. Task 6 creates a self-propagating XSS worm that modifies profiles and spreads itself to other users.
This document describes tasks to perform cross-site scripting (XSS) attacks on an Elgg social media site. Task 1 demonstrates embedding JavaScript in a profile to display an alert popup to other users viewing that profile. Task 2 displays the victim's browser cookies in an alert. Task 3 steals the victim's cookies by sending them to the attacker's computer. Task 4 modifies the victim's profile by forging HTTP requests without attacker intervention. Task 5 further modifies profiles depending on the visiting user. Task 6 creates a self-propagating XSS worm that modifies profiles and spreads itself to other users.
This document describes tasks to perform cross-site scripting (XSS) attacks on an Elgg social media site. Task 1 demonstrates embedding JavaScript in a profile to display an alert popup to other users viewing that profile. Task 2 displays the victim's browser cookies in an alert. Task 3 steals the victim's cookies by sending them to the attacker's computer. Task 4 modifies the victim's profile by forging HTTP requests without attacker intervention. Task 5 further modifies profiles depending on the visiting user. Task 6 creates a self-propagating XSS worm that modifies profiles and spreads itself to other users.
3.2 Task 1: Posting a Malicious Message to Display an Alert Window
The objective of this task is to embed a JavaScript program in your Elgg profile, such that when another user views your profile, the JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display an alert window: <script>alert(’XSS’);</script> If you embed the above JavaScript code in your profile (e.g. in the brief description field), then any user who views your profile will see the alert window.In this case, the JavaScript code is short enough to be typed into the short description field.
g To be sure, we will login from Boby's account. Then go to Samy's profile. 3.2 Task 1: Posting a Malicious Message to Display an Alert Window If you want to run a long JavaScript, but you are limited by the number of characters you can type in the form, you can store the JavaScript program in a standalone file, save it with the .js extension, and then refer to it using the src attribute in the <script> tag. See the following example: 1- From Samy's profile, we write the following code: <script type="text/javascript" src="http://www.xsslabelgg.com/myscripts.js"> </script>
In the terminal in Elgg, we type the command
We write the alert in the file then save it
In the previous step, we embed the above JavaScript code in your profile
Note : XSS External File used when the code is too long. 3.3 Task 2: Posting a Malicious Message to Display Cookies. Type the following code (<script>alert(document.cookie);</script>)
The result that appears in the alert is the cookies which is contains the information of communication between the user and the site. 3.4 Task 3: Stealing Cookies from the Victim’s Machine
We do this step by sending the cookies to the hacker by typing the IP of the hacker and the transmission is done via port 5555 using the TCP protocol.
Note: If the cookies are sent to the hacker, it will not appear. To read the cookie, we used a common program by attackers is net cat it becomes a TCP server that listens for a connection on the specified port.
The result 3.5 Task 4: Becoming the Victim’s Friend We need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s browser, without the intervention of the attacker. To modify the profile, we should first find out how a legitimate user edits or modifies his/her profile in Elgg. More specifically, we need to figure out how the HTTP POST request is constructed to modify a user’s profile. 1- Login Boby's account and go to the members. 2- Open HTTP Header live. 3- Add Samy as friend 4- Show Smay number in Url
5- Log out from Boby's account
6- Login Samy's account and go to edit profile 7- Modify the code and past it in about me field.
8- Save and logout
9- Login by Alice's account 10- Go to members and show Smay's profile • Question 1: Explain the purpose of Lines ➀ and ➁, why are they are needed? These parameters are values that are used as a security measure against Cross Site Request Forgery attacks, which cannot be used to access the values. They change every time a page is loaded and therefore need to be accessed by the Cross Site Scripting attack dynamically to get the correct values. That is why these lines are needed.
Question 2: If the Elgg application only provide the Editor mode for the "About Me" field, i.e., you cannot switch to the Text mode, can you still launch a successful attack? No, if the Elgg application only provided the Editor mode for the “About me” field, the attack would not be successful. This is because the Editor mode adds extra HTML and changes some of the symbols, such as ‘<’ to ‘>’. 3.6 Task 5: Modifying the Victim’s Profile 1- After modifying the code, we enter into Sami's profile
2- Log in from Alice's account and visit Sammy's profile
Question 3: Why do we need Line ➀? Remove this line, and repeat your attack. Report and explain your observation. Because f function checks which user will visit the profile. Anyone other than Samy when visiting Samy's profile performs of modifying the profile. If the f function is removed, it will modify Sami's profile if Sami visits his profile.
1- Remove the function and modify the code then save it
2- Visit Samy's profile from his account
3.7 Task 6: Writing a Self-Propagating XSS Worm 1- From Samy's account, we registration process and we edit the profile 2- We paste the code in the about me field after converting it to Visual Editor 3- Save it
Now, we will login as Boby's account and visit Samy profile.
Note: Bobby's profile has been modified and Sami has been added as a friend. Also, added a copy of the worm itself to Boby's profile, so he is turned into an attacker. To be sure, we will login as a Charlie and visit Boby's profile
