Web Security Web Security

Challenge 1: XSS Attack

Check out a free preview of the full Web Security course:
The "Challenge 1: XSS Attack" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

In this challenge, students find and exploit three XSS vulnerabilities in the course demo application.

Get Unlimited Access Now

Transcript from the "Challenge 1: XSS Attack" Lesson

>> Mike North: So with that, let's think about our first attack. So there's one that I'm going to point out to you right away. And if you start app up, if we install it, install the dependencies, go through the ReadMe, it should look kind of like what we have on the left here.

[00:00:14] And you may notice there's a little sign that week that you might be able to inject some code. So if you add HTML to the name of an account it'll actually respect that HTML. So if you created something that was Mike's checking and you put b tags around the word checking hey it's rendered as bold.

[00:00:39] So when your penetration testing the kind of thing you try this input all over the place. If you've ever gone through a penetration testing exercise you'll basically come back to your staging environment and there are funky inputs all over the place where they've tried to add a script tag, they've tried to like admin and weird quoting things that are designed to try to SQL inject stuff.

[00:01:04] They'll try to close html comments. They're basically trying to put things that will alert them to vulnerabilities in every little spot that they can think of. Where potentially, if you get input, untrusted user input treated as code. In this case, this is one. There are two other cross-site scripting vulnerabilities in this app.

[00:01:28] One is reflected, actually both are reflected. So what I want you to do is, we're gonna probe the app. So there are at least cross-site scripting vulnerabilities in this app find them, see if you can cause some trouble. You can open up multiple browsers to simulate multiple users so you could register for an account and sign up as user A and user B, and see if user B can create some code that user A will end up executing just by seeing a particular URL.

[00:02:04] You wanna try one modern browser and one legacy one. I will try like IE9 for our purposes when I go and demo this, so obviously there are fewer protections for things like cross-site scripting on older browsers than there are on the modern ones. Just for multiple domains, one of the tricks I want us to use today is if lvh.me.

[00:02:24] I tried to research it, just was I couldn't find it. But lvh.me is wild card domain that points to a local host. So you could do food.lvh.me. They all point to a local host. But that gives you the ability to check tap different domains of different cookies and things like that if you wanted to sort of have a couple of clean starts.

[00:02:45] We're going to do this, because we may end up ruining some domains. It's fixable, so don't worry if you screw up localhost, but we'll later on deal with something HSTS headers and public key pending, where we basically instruct the browser to only trust a particular certificate. And having multiple domains let's us experiment with that kind of thing.

[00:03:08] So with that, I'm just gonna start the app up, I'm gonna show you how to operate this project, and we will go from there.
>> Mike North: All right. So I've opened up the project in Visual Studio code, and the first thing you'll do is just run yarn, or you'll get pull actually.

[00:03:44] If you checked this out last night, I removed a couple dependencies, tried to smooth things out, get pull, make sure you've got the latest stuff. Then yarn to install all your packages. And then npm start and when you see something that looks like this, it's basically creating a database for you in this db folder.

>> Mike North: And if we go to local host 3000, sorry, http local host 3000 for now. You should see something that looks like that.
>> Mike North: And what you can do is then go and register and create an account.
>> Mike North: Do not enter any passwords into this that you use elsewhere.

[00:04:36] Like assume shenanigans for today. I'm not tricking you with anything that is in this project, but the passwords are not distorted Playtex in this database. Do not enter passwords that are sensitive. Do something like, A, B, C, D, one, two, three, four.
>> Mike North: Apparently I can't type.
>> Mike North: Okay so I've successfully registered.

[00:05:03] And I'm actually gonna save that password in my browser so I can basically get it auto populated. You'll end up logging in a lot today.
>> Mike North: And you should see something like this and you can create an account like checking. And there you go, I've got $2.56, woo hoo.

[00:05:23] Savings $47, so when you create an account you get a random amount of money in it. You can go over here and you can transfer funds between, so I'm gonna say from savings to checking, I want to put $10. And you see now I've got $12.56 instead of $2.56 I moved $10 from one account to the other.

[00:05:41] The last page I want you to see it's a very basic user profile page, there's no real stuff here. This is our half completed feature. So these are really the three screens. The listing of your accounts, the ability to transfer to other accounts and the profile page. So what I want you to do is.

[00:06:01] Find, so I've shown you one cross-site scripting vulnerability. Exploit that, try to find the other two and you can use multiple browsers. We will show you what happens with the Legacy browser when we go through the solution and make us of lvh.me.