Run the following Docker image:
docker run -p 8080:8080 -t arcuri82/tk2100-chat
Such web application represents a simple chat program based on WebSockets.
Open such web page from 2 different browsers (e.g., Chrome and Firefox), best if from 2 different machines (e.g., another laptop or a mobile connected to the same WiFi).
From the 2 browsers, do some chatting (actual content of messages does not matter) to see that the chat is working properly.
From Chrome Developer Tools, look at the JavaScript code used to update the page with the most recent messages. It is not important that you do not understand how WebSockets are used here, but, however, look at how the code to generate the HTML for messages is written. Such code is vulnerable to XSS attacks. Why?
Craft a chat message which execute JavaScript code. Such code should replace the entire content of the disaplyed web application with an image of your choice, like a Jolly Roger.
When such message is sent, everyone using the chat program should get such image covering the entire page, and with the functionalities of the chat not working any more (i.e., no possibility to send new messages).
Solutions to this exercise can be found under the
solutions/10 folder.