Department of Electrical Engineering and Computer Science
Syracuse University

Cross-Site Scripting (XSS) Attack Lab

Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScripts) into victim's web browser. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web-based message board using phpBB. We modified the software to introduce an XSS vulnerability in this message board; this vulnerability allows users to post any arbitrary message to the board, including JavaScripts. Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers' goal is to post forged messages for the victims.

Lab Description and Tasks (PDF)

    For instructors: if you prefer to modify the lab description to suit your own courses, you can download the source files (Latex) from here.

Recommended Time: 1 week

Lecture Video: (watch)

Files you need

Helpful Links

Student Feedbacks

To help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2007. The survey results depicted in the following are aggregate results over several years.