Submitted by: Raeesuddin + Muhammad Shahbaz Siddiqui

Roll Number(s): 21K-4007+21K-4004

Section: MCN-3A
Submitted to: Dr. Hassan Jamil Syed
 Applied Information Security (CS-55010)

Seed Labs: XSS Attack Lab

Lab Setup:
We will need two VMs for this LAB 01 Webserver and Other Adversary. In this section we will
make sure that the adversary can access www.seedlabsqlinjection.com from his browser by
providing the IP address of the server in the /etc/hosts file of the adversary machine.

Lab setup is complete, we can now perform the required tasks.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 1

 Applied Information Security (CS-55010)

Section 3 - Task#1Posting a Malicious Message to Display an Alert Window :

In this task we have written a javascript code in the About me section of a user “Alice”, Once
these changes will be saved, It will display an error message “XSS”.
The same Error Message displays when we visit the profile of Alice from the attacker (Samy’s)
machine. This shows that the Cross Site Scripting XSS attack has been executed on the Victim
(Alice’s) Machine.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 2

 Applied Information Security (CS-55010)

Section 3 - Task#2 Posting a Malicious Message to Display Cookies:

In this task we have entered another Javascript on Alice’s “About me” Section of the profile as a
malicious message and once it is saved we will receive an Error message saying
“Elg=36g2ovd2hh4691478rccgg9pcp5” which was the cookie of the current session of the user
and will be visible to the user once the About me section will be saved.

Section 3 - Task#3 Stealing Cookies from the Victim’s Machine:

Now we as the attackers need to receive the cookies of the Victim’s Machine at our machine
once it is saved by the Victim user, In order to listen to the victim machine we have used Netcat,
we’re listening at port 5555

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 3

 Applied Information Security (CS-55010)

Now, In order to receive the Cookies of the victim user at our end we have logged in to Alice’s
Profile and visited the profile of Samy and we can see that we have received all the relevant
information related to the victim user at our end, which is our objective has been achieved.

Section 3 - Task#4 Becoming the Victim’s Friend:

To send a Friend request to Alice we need to first make sure about how this works, So for that
we have created an assumably fake profile named “Charlie” and he will send the Friend request
to that user and then via the Inspection option we have found out the parameters required for
Add Friend, For that purpose we have logged in to Charlie’s Profile and sent the request to
Samy, In the meanwhile we have observed the HTTP requests via Inspect option.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 4

 Applied Information Security (CS-55010)

So, now we know that since Charlie tried to add Samy as a friend, a request was made with the
friend value as 47, This value must be of Samy. To verify this we have used the source code of
this website using the Inspect option:

By observing the source code of the website we have verified that the value 47 is of Samy. Now
that we have seen the parameters of Add Friend works, we have created another Javascript
code. We will use the same request of Add Friend between Samy and Charlie and make
changes in the cookies and tokens that we had retrieved earlier. We will use the following URL
in our Javascript code:
http://www.xsslabelgg.com/action/friends/add?friend=47&elgg_token=value&elgg_ts=value
Now, we will add this code in the About me section of Samy and as a result of this execution of
code, Samy will be a friend of Alice.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 5

 Applied Information Security (CS-55010)

This means that we were able to successfully execute the code and now Samy has become
Alice’s Friend, Since this code is using AJAX which means all these things are happening in the
background and that Alice won’t be able to identify it, Neither will she receive any notification
regarding that.

Questions. Please answer the following questions:

Question 1: Explain the purpose of Lines 1 and 2, why are they needed?
Answer: We have included this line in our code, In order to send the HTTP request to the
victim, For that purpose we need to have the secret token and the Timestamp value of that
website, Otherwise our request will be considered Illegitimate and we won’t be able to perform
the attack.So the Secret Token and the Timestamp values are stored are stored in the line 1 and
2.

Question 2: If the Elgg application only provides the Editor mode for the "About Me"
field, i.e., you cannot switch to the Text mode; can you still launch a successful attack?
Answer: We won’t be able to successfully Implement the attack in the Text mode, As the Text
mode encodes most of the special character and the attack would never execute like that, So
we can only launch the attack in the Visual Editor Mode and enter the Javascript code.

Section 3 - Task#5 Modifying the Victim’s Profile:

In order to make changes to the Victim’s Profile we need to check out, How does the Edit Profile
function works on this website, Just like we did that for the Add Friend option. For that purpose
we will use the Edit Brief Description Section of the Attacker (Samy) instead of the “About me”
Section.

We see that it is a post request and the content length is that of 476. On looking at Params tab:

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 6

 Applied Information Security (CS-55010)

Here we can observe that the description parameter is present with the string we entered. The
access level for every field is 2, Which means that it is publically visible. So, in order to construct
such a POST request using JS in Samy’s profile, we enter the following code in his about me
section of Samy’s Profile and once another user visits Samy’s profile a message will appear on
it’s About me Section.

This Picture shows that the Attack was successful.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 7

 Applied Information Security (CS-55010)

Questions Please answer the following questions:

• Question 3: Why do we need Line ➀? Remove this line, and repeat your attack. Report
and explain your observation.
Answer: The Specified Line1 is used in the code, So that the code doesn’t execute on the
attacker’s profile if he visits his own profile for testing purposes, However, if a different user
visits the profile of the attacker, That message would appear in his profile. If we remove this line
from our code, If a user visits Samy’s profile, The message will be displayed on Samy’s about
me section.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 8

 Applied Information Security (CS-55010)

Task 6: Writing a Self-Propagating XSS Worm

In this task we need to make our code Self-Propagating, which means it will copy itself on the
victim’s machine. For that we have a quine approach, which will have the output of the program
as a copy of that program. Once we have executed the code on Samy’s profile we had Logged
in to a new user (Boby’s) Profile and visited Samy’s Profile. The code will execute and will self
propagate from Boby’s Profile to other users profile who will visit his profile.

This indicates that the code has self propagated itself on charlie’s profile, After he visited Boby’s
Profile.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 9

 Applied Information Security (CS-55010)

Task 7:Counter Measures

In order to counter Cross Site Scripting XSS attack we will activate the HTMLawed plugin, Once
it is activated, It will look like this:

Now, once we have logged in again to Charlie’s Profile we can observe that the whole code is
visible now, Which means that it has decoded the whole code as data.

Then we Logged in to Alice’s profile and observed that after the update, Alice’s Profile is no
more impacted from the XSS Attack,

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 10

 Applied Information Security (CS-55010)

We uncommented the PHP-method htmlspecialchars() in the text.php, url.php, dropdown.php

and email.php files. We have also made sure that the next line is commented because that
would otherwise negate the effect of htmlspecialchars() function:

Now, in order to demonstrate the difference between the two countermeasures, we perform a
different type of XSS attack.
1. First, we disable both the countermeasures implemented and do the following: 1. We
enter the following into Boby’s brief description field (because it is plain text and not rich
text {in order to see the effect of htmlspecialchars()}):
2. 2. As soon as we save this change, we see that Boby’s profile creates an alert:

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 11

 Applied Information Security (CS-55010)

3.Now, we log into Alice’s account and go on the profile page of Boby. We see that the alert
pops up, hence proving that the given code ran.

4.Now, we enable the HTMLawed plugin from the admin account again, and then log into Alice’s
account and go to Boby’s profile to see if the alert still pops up:

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 12

 Applied Information Security (CS-55010)

5. Now, we enable the htmlspecialchars() countermeasure just as before and perform the same
activity. We first log into Boby’s account and see the following:

There is no alert anymore but in fact the code that we entered is displayed on the profile. We log
into Alice’s account and go to Boby’s profile to see if the alert pops up:

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 13

 Applied Information Security (CS-55010)

Now if we try to execute the code again The code is no more executed, and it is treated as text.
This proves that the htmlspecialchars() encodes the HTML input from the user, avoiding any
XSS attack, This time the alert message will be treated as a normal string.

AIS | Assignment # 08 | Raeesuddin + M. Shahbaz Siddiqui | 21K-4007 | 21K-4004 | Page # 14