This ‘meta exercise’ guides you through a series of smaller exercises on classic web vulnerabilities, created by Bruce Leban, Mugdha Bendre and Parisa Tabriz. These exercises all use a specially-crafted buggy web application named Gruyere. You can choose whether to use Gruyere online or run it locally by downloading gruyere-code.zip. For more information, see the Gruyere setup instructions.

Cross Site Scripting

1. Begin by reading through the information on XSS provided by Gruyere.

2. Do the first three XSS Challenges: File Upload XSS, Reflected XSS and Stored XSS. In each case, try figuring out a solution for yourself first. If you are stuck, look at the provided hints(s). If you are still uncertain after using the hints, view the Exploit section for the solution and try out the exploit for yourself.

3. Optional: If you have particular interest in or prior experience of web development, try doing one or more of the remaining XSS Challenges.

   Note: These remaining challenges go well beyond the level of understanding of XSS needed in COMP3911.

Cross Site Request Forgery

1. Begin by reading through the information on XSRF provided by Gruyere.

2. Attempt the XSRF Challenge. Use the Hint to help you if necessary. If you are still having trouble, view the Exploit section and try out the exploit for yourself to get an idea of how XSRF works.

Path Traversal

One of the simplest attacks on a web application involves manipulating the directory structure of the application in order to read or view private data. Almost all applications have security protections against this attack but it is helpful to understand this attack in order to protect against it in your own applications.

1. Begin by reading the information on path traversal provided by Gruyere.

2. Attempt the Information Disclosure and Path Tampering challenges. In each case, try to figure out a solution for yourself first. Use the provided hints if you are stuck. If you are still having trouble finding a solution, view the Exploit section and then try the exploit for yourself.

3. Optional: if you want more practice, login to Immersive Labs and do the lab on directory traversal in web applications. This will involve attacking a target whose IP address is given on the network information panel. Click on the Network button at the top-right of the screen to access this panel. Then run the Chromium browser from the Linux VM’s desktop and type that IP address into the address bar.

   Hint: If you aren't sure how to proceed, hover the cursor over one of the images displayed by the web application and examine the URL that is displayed in the status bar at the bottom of the browser window. You should construct a similar URL which uses a new value for the photo parameter.

Client State Manipulation

1. Begin by reading the information on client state manipulation provided by Gruyere.

2. Attempt the Elevation of Privilege and Cookie Manipulation challenges. These are more difficult than the previous challenges, so don’t be afraid to use the hints. (You’ll definitely need to look at the first hint for the Cookie Manipulation challenge.) As before, if you are truly stuck then examine the Exploit section for a solution and try it out.

   Note: The details of these two challenges are very specific to Gruyere, so the particular attack paths used here won't work in other web applications. However, similar approaches may succeed, depending on the implementation details of the application.

□