Project 2x: XSS with Google Gruyere (15 pts.)

Launching Google Gruyere

Open a browser and go to

http://google-gruyere.appspot.com/

This brings you to the "Web Application Exploits and Defenses" page.

Scan this page, and at the bottom, click Continue.

This brings you to the "Web Application Exploits and Defenses (Part 1)" page.

Read the "Setup" section. Open your own instance of Gruyere in a second browser window.

At the bottom of this page, read the "Using Gruyere" section. Perform the tasks listed there.

At the bottom of the page, click Continue.

This brings you to the "Web Application Exploits and Defenses (Part 2)" page.

File Upload XSS

Read the "File Upload XSS" section. Create a File Upload XSS that makes a box pop up with your name in it, as shown below:

Saving the Image

Make sure the browser's URL starting with http://google-gruyere.appspot.com/ is visible, and that the pop-up box with your name in it is also visible.

Save an image with the name "Project 2xa from YOUR NAME"

Reflected XSS

Read the "Reflected XSS" section.

There is a warning that you may need to disable XSS Protection in your browser, but I was able to do all the exploits with normal Chrome. The disabling seems unnecessary.

Create a Reflected XSS that makes a box pop up with your name and the phrase "Reflected XSS" in it, as shown below:

Saving the Image

Make sure the browser's URL starting with http://google-gruyere.appspot.com/ is visible, and that the pop-up box with your name and the phrase "Reflected XSS" in it is also visible.

Save an image with the name "Project 2xb from YOUR NAME"

Stored XSS

Read the "Stored XSS" section.

Create a Stored XSS that makes a box pop up with your name and the phrase "Stored XSS" in it, as shown below:

Saving the Image

Make sure the browser's URL starting with http://google-gruyere.appspot.com/ is visible, and that the pop-up box with your name and the phrase "Stored XSS" in it is also visible.

Save an image with the name "Project 2xc from YOUR NAME"

Turning In Your Project

Email the images to cnit.120@gmail.com with a subject of "Project 2x from YOUR NAME".
Last modified: 10-13-11