Department of Electrical Engineering and Computer Science
Syracuse University

Cross-Site Scripting (XSS) Attack Lab (using Collabtive)

Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScripts) into victim's web browser. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web-based project management software named Collabtive. We modified the software to introduce an XSS vulnerability in this project management software; this vulnerability allows users to post any arbitrary message, including JavaScript programs, to the project introduction, message board, tasklist, milestone, timetracker and even the profiles. Students need to exploit this vulnerability by posting some malicious messages to their profiles; users who view these profiles will become victims. The attackers' goal is to post forged messages for the victims.

Lab Description and Tasks (PDF)

    For instructors: if you prefer to modify the lab description to suit your own courses, you can download the source files (Latex) from here.

Recommended Time: 1 week

Lecture Video: (watch)

Files you need

Helpful Links

Student Feedbacks

To help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2007. The survey results depicted in the following are aggregate results over several years.