Section # |
Description |
Points |
Part I |
||
I1 |
Inspect one http GET request package and one http POST
request package. Identify the parameters used in these requests, if any. |
6 |
I2 |
Following Steps: -
While being logged in as Boby, find the guid of both Boby and Alice (5) -
Find the http get request for
adding a friend (5) -
Create the malicious html file and
upload it on Boby's attack website (8) - Demonstrate
the CSRF attack (with all the steps) that forces Alice to become friends with
Boby. (8) |
23 |
I3 |
Following Steps: -
Describe how the html file, javascript and post request relate together in the
context of the "Boby is my hero" attack
and demonstrate the attack. (10) - Answer
Question 2 (5) |
15 |
I4 |
Turn on the token validation countermeasure, show what will
happen and answer the question. |
6 |
Part II |
||
II1 |
Create a script in Samy profile such
that when Alice visits Samy profile it shows an
alert |
3 |
II2 |
Show to cookie |
2 |
II3 |
Show how to retrieve Alice’s cookie -
If Alice and Samy
are on same VM : 3/5 -
If Alice and Samy
are on two different VM : 5/5 |
5 |
II4 |
-
Write the script so that Samy gets added to Alice’s friend list (6) -
Answer Question 1 (2) -
Answer Question 2 (2) |
10 |
II5 |
-
Successful edit of Alice’s profile
from Samy profile (4) -
Answer Question 3 (2) |
6 |
II6 |
Write a self-propagate XSS Worm using DOM and show it is working
by series of screenshots |
10 |
II7 |
Do the question 1 and 2 of task 7 and explain what will happen |
4 |