Index of /~erikpoll/websec/demo

Name	Last modified	Size

Parent Directory		-
DOM_exercise.html	2023-02-28 10:23	3.3K
README.html	2023-03-13 13:44	6.2K
UI_redressing_blackboard.html	2023-03-13 08:36	694
UI_redressing_brightspace.html	2023-03-13 08:36	575
alertMessage1.js	2023-02-05 17:59	43
alertMessage2.js	2023-02-05 17:59	44
clickjack_basic.html	2023-03-13 09:14	1.0K
clickjack_some_button.html	2023-03-13 08:47	1.3K
clickjack_some_button_transparent.html	2023-03-13 08:52	1.1K
components/	2023-01-29 17:05	-
cursor-jacking.html	2023-03-13 09:10	1.9K
demo_DOM.html	2023-01-29 17:51	2.3K
demo_DOM2.html	2023-02-26 22:14	5.8K
demo_get_post.html	2023-01-29 17:04	4.8K
demo_javascript.html	2023-01-29 17:07	4.0K
framebuster.html	2023-03-13 08:52	922
framebusting1.html	2023-03-13 08:54	352
framebusting2.html	2023-03-13 08:54	1.3K
img/	2023-01-29 17:05	-
mixed_content.html	2023-02-05 18:21	1.7K
movement.html	2023-03-13 08:53	651
test_SOP.html	2023-03-28 13:34	2.1K
test_SOP_https_version.html	2023-03-28 13:34	1.8K
xss_via_DOM.html	2023-02-28 10:28	6.4K

websec demos

Demo webpages for Web Security

This directory contains some examples that illustrate some features of the web (or more in particular, of HTTP and HTML). They are all bare-bones examples, with just a few lines of HTML and without using any fancy JavaScript frameworks to make for nice-looking interactive web pages, that are kept as simple as possible to make the fundamental concepts clear.

The web page you are currently seeing is simply a directory listing that is exposed to the internet by a web server. It is the default behaviour of our web server to display the content of any README.html file present in a directory, so the bottom part of this webpage is simply the content of the file at https://www.cs.ru.nl/~erikpoll/websec/demo/README.html>.

At some places we will refer to the official HTML spec so that you get a taste of what that spec looks like. These pointers are not part of the exam material: the spec is constantly updated and the PDF version of the HTML spec is over a thousand pages long. The spec is available as one page of HTML but the multipage version may make for more pleasant browsing.

Demos for lecture 1:

demo_get_post.html is a page with GET and POST requests to inspect in the browser or using a proxy.
demo_javascript.html is a page with some simple JavaScript that uses the DOM API.
demo_DOM.html is a JavaScript demo that shows some more features of the DOM. The button at the bottom of this page leads you to a exercise to explore the capabilities of JavaScript and the DOM from the console in your browser, incl. the possibilities for so-called (reverse) tabnabbing, where JavaScript code can open new browser tabs or change existing browser tabs to try to confuse the user. We will go into this in lecture 4.
demo_DOM2.html gives more example of JavaScript interacting with the DOM, incl. the possibilities for JavaScript to inspect the URL,

Demos for lecture 2:

mixed_content.html is a page which mixes HTTP and HTTPS content.

Demos for lecture 4:

test_SOP.html is a page with an iframe (inline frame), which is effectively a webpage embedded inside another webpage, that tests the Single Origin Policy (SOP): in particular, it shows that if the outer webpage has a different origin that the iframe, its interaction with that iframe are restricted.

Demos for lecture 5:

xss_via_DOM.html shows how a webpage can import parameters from the URL, and how that can be abused for XSS attacks, where JavaScript is sneaked into a webpage via a poisoned parameter in the URL.

Demos for lecture 7:

Web pages with ClickJacking/UI redressing: clickjack_basic.html , clickjack_some_button.html clickjack_some_button_transparent.html
Brightspace does not have any protection against reusing Brightspace webpages inside other pages: the webpage UI_redressing_brightspace.html includes Brightspace inside another page without any problems.
The predecessor of Brightspace, Blackboard, did include protection against UI-redressing, as shown by UI_redressing_blackboard.html. This demo is nicer with FireFox that with Chrome, as Firefox gives a very clear warning that an iframe is blocked for security reasons.
Cursor clickjacking attack shows shows how the attacker can confuse user about where the cursor really is, and hence about what or where they are clicking.
framebusting1.html shows how the iframe framebuster.html it includes will bust the outer framebusting1.html and become the top webpage.
framebusting2.html shows how using sandboxing for the iframes can prevent such framebusting.

About the webpage you are seeing now: if you access the URL http://www.cs.ru.nl/~erikpoll/websec/demo the web server will show the directory listing of ~erikpoll/webdocs/demo, which you see at the top of the page, and the content of file README.html in that directory. This README.html file displayed automatically by the webserver is you ask for a directory listing, and your browser renders it as HTML. The directory ~erikpoll/webdocs/demo is simply a directory on the local file system of our Linux server that has been set to be world-readable.