CS 253 Web Security
Assignment 1 – Journey to the Dark Side 🌘
- Points: 60
- Due: Friday, October 15 at 5:00pm
Welcome to Assignment 1 for CS 253: Web Security. ✨
We're doing client-side attacks! This assignment is all about Cross Site Scripting (XSS) vulnerabilities. Your goal is to come up with "attack inputs" that when entered into vulnerable websites allow you to execute code in the target's browser.
With Reflected XSS, you want to find a way to encode the attack input into a URL that can be sent to a target. When the URL is visited, your attack input is extracted from the URL by the server-side (or potentially client-side) code and executed in the target's browser.
With Stored XSS, you want to find a way to get your attack input stored more permanently, e.g. in the server's database, so that when your target visits a page constructed using this data at some point in the future, your attack code will execute in their browser.
The assignment takes the form of an interactive workshop that you'll run in your browser. This is what it looks like:
Prepare
Check your Node.js version
You should already have Node.js installed from the last assignment. For this assignment, it's highly recommended to use Node.js 16. Open your terminal and run this command to confirm you're running some version 16.x.x:
node --version
If not, you can install Node.js from the official site.
Get the starter code
Run this command to clone the code with git
:
git clone https://github.com/stanford-web-security/assign1.git
Enter the folder you just created:
cd assign1
Install the necessary local dependencies with npm
:
npm install
Start the assignment
Run the local server:
npm start
Your browser should open up to http://localhost:4000 where you can begin the assignment.
Submit
Before you submit
Ensure that the sanity tests pass:
npm test
This command just runs a basic sanity test that ensures your project passes npm run lint
, has the right folder structure, and doesn't have any blank required files. If npm test
doesn't report any errors that doesn't necessarily mean that you've solved every exercise perfectly!
🌟 PRO TIP: You can automatically fix most lint errors by running:
npm run lint-fix
Gradescope
We'll use Gradescope for submissions. The enrollment code is on the course homepage.
The moment of truth
When you're ready to submit your work, you'll upload the src/
folder to Gradescope. It should include two files (SOLUTIONS.md
and SURVEY.md
).
You should submit early and often! There's no downside to repeatedly submitting your assignment.
Questions?
Come to office hours or post in Ed.