Cookies!
Since the TAs were very happy with your performance in the mini-exams, they decided to give you access to their website, where you can get answers to all your questions. Unfortunately, they did not pay enough attention to input sanitization, leading to a website that is vulnerable to cross-site scripting. This exercise consists of three levels (of increasing difficulty). In each level, your goal is to cause the page to raise an alert. The content of the alert must be the cookie that is set when you visit the website. As soon as the alert is raised (with the correct content), you will receive a token that you can submit. Along with the token, please submit the URL you crafted to exploit the vulnerability and raise the alert (in the Code section on the submission page).
An alert is a dialog box that pops up on the screen. A sample alert is shown below.
You can visit the website here
Important: You can raise an alert via the Console window on your browser. However, this is not an XSS attack. Thus, submitting an alert command via the console is not an accepted attack. This is why we also ask you to submit the URL you created.
Questions to reflect upon:
- In this exercise, you tried to get the website to raise an alert with your own cookie. How would you exploit this vulnerability to get someone else's cookie?
- What measures should the TAs take to protect against such vulnerabilities?
You do not need to write an answer to these questions.
PDF Website