CSRF/XSS/SQL-injection Attacks
The objective of this lab is to understand how CSRF/XSS/SQL-injection attacks work.
This topic will be covered over the course of 2 weeks.
- SEED lab materials on CSRF Attacks
- SEED lab materials on XSS Attacks
- SEED lab materials on SQL-injection Attacks
- Web application security: Ch. 7; Ch. 10 (p.1-35)
- Play arround with an insecure web application
- for other insecure applications check the following link
- useful tools for penetration testing
- [OWASP Zed Attack Proxy (ZAP)] (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
- students can work alone or in groups of 2 to 3 students
- select one of the attacks and demonstrate it
- you can use either the SEED materials or one of the vulnerable web applications
Students need to submit a detailed lab report to describe what they have done and what they have observed.
Report should include the evidences to support the observations. Evidences include packet traces, screendumps, etc.
- total number of labs is 9
- students can have maximum 1 absence out of 9 labs
- the absence will be counted as 0
- multiple absences count as failing to pass the lab
- days left for clearing up absences
- 22-23 November
- week 14 of the semester (to be decided)
Please remember there will be a quizz at the start of this lab. Therefore, try to understand the core concepts.
On Tuesday and Wednesday morning, the quiz will be given in the first 10 minutes of the lab. Please make sure to make it on time.
You can even learn by practicing at home. In order to do that, follow the instructions on how to set up your environment, and download the correct VM.
Bring a USB stick with the VM as a backup to the lab.