Lab 8
The purpose for this lab is to whitness simple vulnerabilities withing a web application that does not sanitize data. With the given files, you will read through and follow the steps provided. The steps given are to exploit insecure cookie data, exposure to sensitive data, cross site scripting, and cross site request forgeries.
lab8 files
Create a lab8.txt file and answer the following questions:
- You will need a cookie manager of some type for your browswer that will
allow you to create/edit/delete cookies. You don't have to clear all your
cookies however, it would be easier to find cookies from the domain
cs.csubak.edu. Make a HTTP request to home.php and you should
see a login homepage. Within your cookie manager, you should seee a cookie
that was set called isActive. What is the value of the cookie?
- Authentication is needed in order to access blog.php.
Within your URL, make a request to
www.cs.csubak.edu/~derrick/cs3680/examples/lab8/blog.php. What happens?
- Use 'thepassword' as the password for the login, and submit the
request. What are the cookies and values for the
cs.csubak.edu domain?
- Make the logout request, which should redirect you back to the home
page. With your cookie manager, either create if the cookie isn't
present, or edit the isActive cookie and change the
value to 1. Make a get request to home.php. What happens?
This is an example of weak authentication where
authentication could simply be bypassed. The solution, which will
be discussed, is to use sessions.
-
Now you should be able to navigate the blog.php. Embedded in the
comments section of the blog is a malicious link that will
redirect the user to somethingcool.html, or at least
it appears to be. Click the link. Where did your browser redirect you?
Are the values for the cookies the same values in your cookie manager?
-
Navigate back to the blog.php and post a comment your self.
You should see the comment appear directly on the page. Make another
post but use the following text:
<h1>my comment</h1>
. What happened?
This is a huge indicator that user input is not sanitized and html
is not encoded.
Try again but use the following text:
<script>alert('xss');</script>
. What happened?
-
Navigate back to the blog.php and view the page source.
This is the xss vulnerability that will forge a request to a malicious
webpage that will contain your cookie data. Not good.
Copy the whole text for the open script tag to closing script tag,
including the open and close tag.
Go to the blog's textarea and post the copied text.
The text appears to be a normal comment with a link, however the link
is to a malicious site with your cookie data.
Why wouldn't you want to have sensitive information within a cookie?
A solution for this is session management and csrf tokens which will be
discussed.
- What are the rules you should always follow whenever handling
user input?
HINT: Never trust the _____ and always ______ the data.
/3680_S18/wk8/lab8.txt