This afternoon, I started on project 4 for introduction to information security (IIS). This goal for this project is to have us students learn more about web security and consists of three objectives, manufacturing three web attacks: cross site scripting, cross site forgery and structure query language (SQL) injection attack. And although I’m very familiar with the terms, I’ve actually never carried out any of those attacks in neither an academic or professional setting. In this post, I’ll share some of the things I learned while spending 4 hours in a cafe chipping away at the project.
Cross site request forgery (CSRF)
This attack was very straight forward: inspect the source code of the (PHP) files and carefully tease out which form inputs could be set in the body of the HTTP POST.
Cross site scripting (XSS)
This task was a ton of fun. Initially, I headed down an entirely wrong path and found myself getting very frustrated. Initially, because of the video lectures, I had wrongly assumed that the only way to perform the attack was to embed an iFrame my hand crafted HTML page, the iFrame loading the contents of the remote website, the target of the attack. And although this entirely possible, embedding an iFrame is unnecessary: what I really need to do is basically send an HTTP post to the remote site, embedding javascript in one of FORM values, carefully ensuring that when the page renders in the browser, it’s identical to the original website.