LAB MANUAL INFORMATION SECURITY

LABORATORY MANUAL

COMPUTER SCIENCE Department

Information Security
Submitted by

Muhammad Huzaifa - 62892

Meer Zubair Ahmed - 64024
Muhammad Ikram - 64409
Sibtain Ali – 63237

Instructor

Attiya Shoaib

Assistant professor, Department of Computer Science,

Faculty of Information & Communication Technology,
BUITEMS, Quetta.

Session Fall-2024

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY

ENGINEERING AND MANAGEMENT SCIENCES
 LAB MANUAL INFORMATION SECURITY

Objective
In this project, we will explore various dimensions of XSS or Cross Site Scripting, learn to
exploit websites using it and their preventions and precautions. Labs are hence performed in
organization with theory of XSS to help you understand it thoroughly. This report will make
you able to define XSS, its types and identifications and practical techniques to use them for
exploiting. Also, a widen view will be illustrated throughout the report to make you prevent
this vulnerability in accordance to day-to-day advancing world of Internet and cyber science.

Cross Site Scripting (XSS):

Cross-Site scripting (XSS) is a client-side web vulnerability that allows attackers to inject
malicious scripts into web pages. This vulnerability is typically caused by a lack of input
sanitization/validation in web applications. Attackers leverage XSS vulnerabilities to inject
malicious code into web applications. Because XSS is a client side vulnerability, these scripts
are executed by the victims browser. XSS vulnerabilities affect web applications that lack
input validation and leverage client-side scripting languages like JavaScript, Flash, CSS etc.
XSS vulnerabilities/attacks are typically sorted into two main categories: stored/persistent and
reflected.

Types of Cross Site Scripting (XSS):

There are three main types of Cross Site Scripting (XSS):
1. Reflected XSS
2. Stored XSS
3. DOM XSS

1. Reflected XSS:
Reflected/non-persistent cross-site scripting is the most common form of XSS and involves
tricking a victim into clicking a specially crafted link (with an XSS payload) to the
vulnerable website. When the victim clicks on the link the website includes the XSS
payload as part of the response back to the victims browser, where the payload is executed.

2. Stored XSS:
Stored cross-site scripting is a vulnerability where an attacker is able to inject JavaScript
code into a web application’s database or source code via an input that is not sanitized. For
example, if an attacker is able to inject a malicious XSS payload in to a webpage on a
website without proper sanitization, the XSS payload injected in to the webpage will be
executed by the browser of anyone that visits that webpage.

3. DOM XSS:
DOM-Based XSS/type-0 XSS is a type of XSS vulnerability that allows an attacker to
inject malicious payloads into a webpage by exploiting a weakness in the DOM of the
web application. A DOM-Based XSS attack involves exploiting a script on the webpage
that takes user input and reflects it back to the page without proper sanitization, the
attacker then injects malicious code/payloads into the webpage’s DOM by modifying the
values of the script’s variables.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

Related Terms:
 Cookie: A cookie is a small piece of data stored by a web browser on a user's
device, used by websites to remember information between sessions. Cookies can
store various data like user preferences, login details, or tracking information for
analytics and advertising. They help improve the user experience by maintaining
state and personalizing content.
 Payload: A payload refers to the part of the malware or cyber attack that performs
the harmful action after the attack is triggered. It can be a code or a type of data
that causes the exploit to do its job.
 Vulnerability: Vulnerability refers to a weakness or flaw in a system,
process, or individual that can be exploited by threats to cause harm or
damage. It can manifest in various forms, such as software bugs, security
gaps, or emotional susceptibility. Identifying and addressing
vulnerabilities is crucial for risk management and protection against
potential attacks or harm.

Identifying the Vulnerability of Reflected XSS:

We will try to find such a website which is vulnerable to Reflected XSS by using some
JavaScript testing scripts like alert( ) to identify it.
We will access the website provided below which is vulnerable and will check it.

pentesteracademylab.appspot.com/lab/webapp/htmli/1

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

We can see that there is some sanitization being applied in this sign form but there is a sign of
Reflected XSS as the value is reflected back by the server. Now we will try with some other
techniques.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

We can see that the script is executed successfully, So this site is vulnerable to Reflected
XSS.

Practical Demonstration of Reflected XSS:

Now we will open the Kali Linux, access another website, will check the vulnerability and
prepare our payload to steal the cookie.

Access the website by the provided link:

https://7vabz65evl.execute-api.ap-southeast-1.amazonaws.com/default

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

We can see that our test payload is executed here successfully also Now, we will prepare our
payload by using the JavaScript.

For this we will first of all check our IP Address by using the command ifconfig:

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

This is our payload which we have created by using the JavaScript code. Now, we will open a
listening port with the help of Netcad on our Kali Linux by using the command nc –nvlp
4444.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

Next step is to execute our payload on the web browser.

The moment we will run our payload the listener will catch the cookie which we can see then.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

With this we have successfully steal the cookie now we can use this link to steal the cookies
by setting up our listener every time before executing it. This concluded our Reflected XSS
demonstration.

Practical Demonstration of Stored XSS:

Firstly, open the Burp Suite Community edition by searching using search bar on start tab.

After opening, you will be shown with its Dashboard with several tabs used for different
purposes. Go to Proxy tab, ON the intercept and open the browser by clicking on open
browser option.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

When your browser gets open, run the link of website vulnerable to Stored Cross Site
scripting. Go to your Burp suite and click on forward to run the link on browser.

You will see your browser open with an input area as username. Paste your javascript
payload in the given input area and click on search.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

Go to your Burp suite, you will see the request forwarded by browser to Burp suite. Right-
click and then click on forward to repeater.

On repeater tab, click on send to see your response. You will find your javascript payload
stored on source code of the webpage.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

We have successfully stored our payload on our website.

Practical demonstration of DOM XSS:

Open the link that is vulnerable to DOM XSS. You will see a loophole in the DOM (or
Document Object Model) of the given website which we can use to manipulate the webpage.
In this case it is numerical which we can see below Mathemagic. Hence, it is prone to DOM
XSS. You can also see the numerical value as a string of mathematical function in the link
above as statement=(string). This string executes arithmetic operations and sets the output on
screen.

Go to the source code of the website by right-clicking on empty space and then clicking on
page source. You will move to another window where page source is shown. Drag down, until
you find your javascript payload on the specific area as shown in webpage.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

This JavaScript highlighted code extracts a query parameter called "statement" from the current
page's URL, splits the URL at the "statement=" part, and then evaluates the value of the
"statement" parameter using `eval()`. The result of the evaluation is inserted into an HTML
element with the id "result". Specifically, it takes the JavaScript code passed as a string in the
"statement" query parameter, executes it, and displays the outcome in the element. This can be
dangerous if the input is not sanitized, as it allows arbitrary JavaScript code execution,
potentially leading to security vulnerabilities such as Cross-Site Scripting (XSS).

Prevention Methods:
 Validate Input
● Allow only expected input formats (e.g., numbers, emails).
● Reject anything outside the required format.
 Encode/Escape methods
● Replace <, >, and other special characters with their respective HTML entities (e.g., <
becomes &#60;).
● Prevent rendering of untrusted scripts.
 Use Content Security Policy (CSP)
● Allow scripts from only trusted sources.
● Example: Content-Security-Policy:
script-src 'self’ https://trusted.cdn.com;
 Secure coding practice
● Avoid embedding user inputs directly in HTML.
● Use frameworks handling encoding such as htmlspecialchars() in PHP.
 Sanitize Input
● Use trusted libraries to sanitize user content such as DOMPurify and OWASP.
 HTTP response headers
● Set these headers to add protection:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.
 LAB MANUAL INFORMATION SECURITY

 Avoid danger APIs

● Do not use APIs like document.write().
● Use safer alternatives such as innerText and textContent.
 Input Length restriction
● Limit user input lengths.
● Prevent large payloads that might include malicious scripts.
 Validate file uploads
● Verify file type and content.
● Rename uploaded files to prevent execution.
● Store files outside public directories.
 Secure third party libraries
● Audit and update libraries/plugins.
● Use tools like: OWASP Dependency-Check and npm audit.
 Separate data and commands
● Use tools that separate data from commands such as Handlebars (JavaScript) and
Jinja2 (Python).
 Avoid Inline script
● Refrain from embedding scripts directly in HTML.
● Use external scripts with CSP to restrict execution.

BALUCHISTAN UNIVERSITY OF INFORMATION TECHNOLOGY,

ENGINEERING & MANAGEMENT SCIENCES, QUETTA.