Due: Sun, Nov 1, 11.59 P.M.
This homework will continue the work from Homework #2. In the first part of this homework, you will attempt to find XSS and XSRF vulnerabilities in your application. In the second part, you’ll fix these vulnerabilities.
Follow the same submission instructions from HW2.
Should we be working on the original version of the web application, or on the version after applying fixes for HW2?
Thanks, Rafal
It would be easier to work on the original application.
Do we have to send again Part I (Application Study)?
Thank you.
MT
No.
Hi,
checking Referrer page can be considered as a valid defense for preventing XSFR attacks?
I know that this method have some usability problems and vulnerabilities,
I need to find out some other solutions to these attacks?
Thank you,
Bye
Reply by Prof Venkat below. Posting here for the benefit of the rest of the class.
No, REFERER checking cannot be the sole primary defense for reasons discussed in class.
venkat
Hi,
In XSS attack, is it fine if we demonstrate it by running of some scripts in the webpage.. say alert window etc.. Or do we have to reflect some significant change in the webpage using the scripts.
thanks
bharath
Any attack however simple, which demonstrates that an XSS attack has taken place will suffice. But please make sure that your XSS and XSRF attacks are in different parts of the code(i.e they do not attack the same vulnerability)
What are we supposed to submit? all the attack html files or only a readme file explaining everything?
You need to use the same submission procedure that you did for HW2 i.e tar file containing all your files( files containing attacks, files that you modified for defense).It is preferred that you include a readme as it makes the grading a lot easier.
Hi,
I am able to generate an XSS vulnerability from my my cookie’s application page.
But when I am trying to give the same string to the global application page (http://thompson.sisl.rites.uic.edu:443/35c74dc9/),the same attack is not getting generated.What should I do?