Module 7 Lab Template
docx
keyboard_arrow_up
School
Portland Community College *
*We aren’t endorsed by this school
Course
285E
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
9
Uploaded by JudgeBoulder5277
Module 7 Web & Database (VCS Lab 5 + Google
XSS Game)
Your Name:
VCS Lab 5 Section 1
Section 1 Part 2 Step 5
Make a screen capture showing the exposed XSS vulnerability and paste it into
your lab report file.
Section 1 Part 2 Step 9
In your lab report briefly describe what the new results tell you about how the
form now handles cross-site scripting attacks in the High setting.
In the Lab Report file, the new results demonstrate a significant improvement in the form's handling of
cross-site scripting (XSS) attacks when set to the High security setting. Previously, the vulnerability popup
alert would appear when attempting to input scripts indicative of XSS attacks. However, the recent
testing indicates that typing the XSS script in the High setting did not trigger the vulnerability popup
alert.
CIS285E
Module 7 Lab Report
Page 1 of 9
Ethical Hacking
V2.1
12/8/2023
This suggests that the form's security measures have been enhanced successfully, effectively mitigating
the XSS vulnerability that previously allowed malicious script injections. The absence of the alert under
the High setting indicates a higher level of protection against potential XSS attacks, marking an
advancement in the form's security protocols.
Section 1 Part 3 Step 10
In your lab report briefly describe the results of steps 7-9.
The conducted steps (7-9) involved systematically testing SQL injection vulnerabilities within the system
by crafting specific queries. Starting with 'a' ORDER BY 1;#', no error or output was observed, indicating
the existence of at least one column in the database. Subsequently, 'a' ORDER BY 2;#' was entered,
revealing no errors, which confirmed the presence of a second column. However, upon attempting 'a'
ORDER BY 3;#', an error message stating "Unknown column '3' in 'order clause'" was received, indicating
the absence of a third column in the queried table. These progressive results strongly suggest a database
structure consisting of a minimum of two columns, crucial information for comprehending vulnerabilities
and potential exploits within the system.
Section 1 Part 3 Step 19
Make a screen capture showing the user account information and paste it into
your lab report file.
CIS285E
Module 7 Lab Report
Page 2 of 9
Ethical Hacking
V2.1
12/8/2023
Section 1 Part 3 Step 21
Make a screen capture showing the hash information and paste it into your lab
report file.
Section 1 Part 3 Step 22
In your lab report briefly describe the purpose of hashing in a database.
Hashing in databases offers crucial security measures, primarily safeguarding sensitive data like
passwords. It involves converting this information into unique hash values using cryptographic functions,
ensuring passwords remain protected even if a database is compromised. This process allows for secure
authentication without exposing original passwords. Additionally, hashes maintain data integrity,
promptly detecting any alterations, and can serve as unique identifiers for indexing, ensuring distinct
values while protecting sensitive data.
Section 1 Part 4 Step 3
Make a screen capture showing the contents of the
yourname_S1.txt
file and
paste it into your lab report file.
CIS285E
Module 7 Lab Report
Page 3 of 9
Ethical Hacking
V2.1
12/8/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Section 1 Part 4 Step 5
In your lab report briefly describe the security countermeasures you recommend
to mitigate the risk from compromise and exploitation.
To mitigate compromise and exploitation risks, you should implement key security measures. Employ
strict input validation and output encoding to prevent injection attacks like SQL injection and XSS. Use
parameterized queries to secure database interactions. Regularly update software, enforce access
controls, and provide comprehensive security training. Utilize robust monitoring for incident response
and employ encryption protocols for secure data transmission. Regular audits and testing help identify
vulnerabilities, ensuring ongoing system security improvements. These measures collectively strengthen
defenses against potential exploits and bolster overall system resilience.
Google XSS game
Level 1
Screenshot with your name in the alert message URL bar showing the level
CIS285E
Module 7 Lab Report
Page 4 of 9
Ethical Hacking
V2.1
12/8/2023
Level 1
Description of what it does and how it works, including the input you used to demonstrate the
vulnerability.
In Level 1, entering `dispatchCoroutine/<script>alert('Stanley')</script>` demonstrates an XSS
vulnerability. This input injects a script that triggers a JavaScript alert displaying "Stanley" by exploiting
improper handling of user-supplied data. This vulnerability allows execution of arbitrary code on the
page, posing risks like data theft or unauthorized actions.
Level 2
Screenshot with your name in the alert message URL bar showing the level
CIS285E
Module 7 Lab Report
Page 5 of 9
Ethical Hacking
V2.1
12/8/2023
Level 2
Description of what it does and how it works, including the input you used to demonstrate the
vulnerability.
In Level 2, `<img src="invalid" onerror="alert('Stanley')">` exploits an XSS vulnerability. This input injects
an image tag with an `onerror` attribute triggering a JavaScript alert, displaying "Stanley." Improper
handling of input allows execution of arbitrary code, posing risks like data theft or unauthorized actions.
Level 3
Screenshot with your name in the alert message URL bar showing the level
CIS285E
Module 7 Lab Report
Page 6 of 9
Ethical Hacking
V2.1
12/8/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Level 3
Description of what it does and how it works, including the input you used to demonstrate the
vulnerability.
In Level 3, `https://xss-game.appspot.com/level3/frame#' onerror='alert("stanley - Level 3 - (1)")'//`
exploits an XSS vulnerability. This injects an `onerror` attribute triggering an alert with "Stanley - Level 3 -
(1)". Improper URL fragment handling allows execution of arbitrary code, posing security risks like data
theft or unauthorized actions.
Level 4
Screenshot with your name in the alert message URL bar showing the level
CIS285E
Module 7 Lab Report
Page 7 of 9
Ethical Hacking
V2.1
12/8/2023
Level 4
Description of what it does and how it works, including the input you used to demonstrate the
vulnerability.
In Level 4, the input `'); alert('Stanley` attempts to exploit an XSS vulnerability by injecting JavaScript
code. However, the specific context handling in the application may prevent its successful execution,
highlighting the need for context-specific input validation to prevent XSS vulnerabilities.
Vulnerability Write-up
Pick one of the vulnerabilities you found in the previous part of this lab and write up a vulnerability
report. See lab description for the sections this write-up should include and resources on writing a good
vulnerability report.
Vulnerability Report: Cross-Site Scripting (XSS) in Level 3
1. Vulnerability Description:
In Level 3 of the Google XSS Game (
https://xss-
game.appspot.com/level3/frame
), a Cross-Site Scripting (XSS) vulnerability was identified. The
application allows for the injection of malicious code through a URL fragment, which triggers
the execution of JavaScript code in the context of the vulnerable page.
2. Vulnerability Identification:
The vulnerability arises from improper handling of the URL
fragment. By manipulating the URL and injecting a payload (
https://xss-
game.appspot.com/level3/frame#' onerror='alert("stanley - Level 3 - (1)")'//
), an
onerror
attribute is
CIS285E
Module 7 Lab Report
Page 8 of 9
Ethical Hacking
V2.1
12/8/2023
introduced, leading to the execution of arbitrary code. This code triggers an alert, displaying the
text "Stanley - Level 3 - (1)" within the URL bar.
3. Impact of the Vulnerability:
The injected code demonstrates the ability to execute
unauthorized scripts within the application's context. This vulnerability could allow an attacker
to conduct various malicious activities, such as stealing sensitive data, hijacking user sessions, or
redirecting users to harmful websites.
4. Exploitation Scenario:
An attacker could craft a URL with a malicious payload similar to the
one demonstrated (
https://xss-game.appspot.com/level3/frame#' onerror='alert("stanley - Level 3 -
(1)")'//
) and trick unsuspecting users into visiting the URL. Upon visiting the manipulated URL,
the malicious JavaScript code would execute, potentially compromising user security and
exposing sensitive information.
5. Mitigation Recommendation:
To mitigate this XSS vulnerability, the application should
implement proper input validation and output encoding practices, especially when handling
user-controlled data such as URL fragments. Sanitizing and validating input, along with output
encoding, would prevent the execution of injected scripts and ensure that user-supplied data is
treated safely.
6. Conclusion:
The identified XSS vulnerability in Level 3 underscores the importance of robust
input validation and output encoding to prevent such security risks. Addressing this vulnerability
would enhance the application's security posture, ensuring protection against potential
exploitation via injected scripts.
CIS285E
Module 7 Lab Report
Page 9 of 9
Ethical Hacking
V2.1
12/8/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help