Cross-Site Scripting (XSS) Attack

Go up to the NWS HW page (md)

Overview

In this assignment you will perform a series of cross-site scripting (XSS) attacks. The assignment is to complete all six levels at https://xss-game.appspot.com/. You may use the hints that are provided on that site, but you may not look up answers elsewhere.

You will need to be familiar with the XSS set of slides.

When working through the XSS attacks, you will need to read through the Javascript code to understand how it works; from there, you can design your XSS attack. You will need to save your attacks as strings in the edited version of the xss.py (src) that you will submit. Feel free to change the string delimiter between single quotes and double quotes, so as to work with your code. If one of the characters in your string is the same as the delimiter, then you will need to escape it.

For level 6, you have to include another Javascript file. The file you can use is level6.js (src). The URL of this file is posted on the Canvas landing page. It has exactly one line:

alert("If you see this, you have successfully completed level 6");

NOTE: The XSS web page apparently does not work correctly in Chrome, so please use a different browser.

Changelog

Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here.

Submission

You will be submitting and edited version of xss.py (src).