Syracuse University
Cross-Site Scripting (XSS) Attack Lab
Overview
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. javascript) into victim's web browser. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (such as the same origin policy) that are employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.In this lab, we use a web-based message board called phpBB to demonstrate the cross-site scripting (XSS) attack. Students will experiment with two types of XSS attacks, both of which can forge a message post for the victim. The message board is at http://128.230.209.203/phpBB2/. Students will be given two user accounts on this message board, one account serves as the attacker, and the other serves as the victim. Each student will work in his/her own private forum, which is not accessible by the others.