Merge pull request #1 from antonrasmussen/Assignment4

Assignment4
phonedude · Oct 30, 2024 · 209b71a · 209b71a
2 parents a29bf35 + f3cc3a8
commit 209b71a
Show file tree

Hide file tree

Showing 109 changed files with 3,668 additions and 0 deletions.
diff --git a/assignments/Rasmussen/4/README.md b/assignments/Rasmussen/4/README.md
@@ -0,0 +1,107 @@
+
+# Website Rendering Results
+
+## Frameable Websites (29)
+- http://4shared.com
+- http://abcnews.go.com
+- http://biblegateway.com
+- http://bloomberg.com
+- http://booking.com
+- http://com.com
+- http://disqus.com
+- http://doi.org
+- http://elmundo.es
+- http://g.co
+- http://globo.com
+- http://gofundme.com
+- http://ign.com
+- http://liberation.fr
+- http://marca.com
+- http://news.com.au
+- http://npr.org
+- http://offset.com
+- http://pl.wikipedia.org
+- http://plos.org
+- http://pt.wikipedia.org
+- http://sina.com.cn
+- http://thefreedictionary.com
+- http://usgs.gov
+- http://vistaprint.com
+- http://webmd.com
+- http://wikimedia.org
+- http://www.wix.com
+- http://zippyshare.com
+
+## Not Frameable Websites (71)
+- [http://alibaba.com](frameable/alibaba.com.html) (Reason: X-Frame-Options)
+- [http://aliexpress.com](frameable/aliexpress.com.html) (Reason: Error)
+- [http://aol.com](frameable/aol.com.html) (Reason: X-Frame-Options)
+- [http://apache.org](frameable/apache.org.html) (Reason: Content-Security-Policy)
+- [http://apple.com](frameable/apple.com.html) (Reason: X-Frame-Options)
+- [http://arxiv.org](frameable/arxiv.org.html) (Reason: X-Frame-Options)
+- [http://biglobe.ne.jp](frameable/biglobe.ne.jp.html) (Reason: X-Frame-Options)
+- [http://britannica.com](frameable/britannica.com.html) (Reason: Too many redirects)
+- [http://buzzfeed.com](frameable/buzzfeed.com.html) (Reason: X-Frame-Options)
+- [http://cambridge.org](frameable/cambridge.org.html) (Reason: Error)
+- [http://cnil.fr](frameable/cnil.fr.html) (Reason: Content-Security-Policy)
+- [http://cnn.com](frameable/cnn.com.html) (Reason: Content-Security-Policy)
+- [http://cointernet.com.co](frameable/cointernet.com.co.html) (Reason: X-Frame-Options)
+- [http://cpanel.net](frameable/cpanel.net.html) (Reason: X-Frame-Options)
+- [http://discord.com](frameable/discord.com.html) (Reason: X-Frame-Options)
+- [http://drive.google.com](frameable/drive.google.com.html) (Reason: X-Frame-Options)
+- [http://dropbox.com](frameable/dropbox.com.html) (Reason: X-Frame-Options)
+- [http://ea.com](frameable/ea.com.html) (Reason: X-Frame-Options)
+- [http://espn.com](frameable/espn.com.html) (Reason: Content-Security-Policy)
+- [http://feedburner.com](frameable/feedburner.com.html) (Reason: X-Frame-Options)
+- [http://forms.gle](frameable/forms.gle.html) (Reason: Error)
+- [http://get.google.com](frameable/get.google.com.html) (Reason: X-Frame-Options)
+- [http://gfycat.com](frameable/gfycat.com.html) (Reason: Error)
+- [http://godaddy.com](frameable/godaddy.com.html) (Reason: Error)
+- [http://goo.ne.jp](frameable/goo.ne.jp.html) (Reason: X-Frame-Options)
+- [http://goodreads.com](frameable/goodreads.com.html) (Reason: X-Frame-Options)
+- [http://google.ru](frameable/google.ru.html) (Reason: X-Frame-Options)
+- [http://gravatar.com](frameable/gravatar.com.html) (Reason: X-Frame-Options)
+- [http://gsmarena.com](frameable/gsmarena.com.html) (Reason: Error)
+- [http://guardian.co.uk](frameable/guardian.co.uk.html) (Reason: X-Frame-Options)
+- [http://hatena.ne.jp](frameable/hatena.ne.jp.html) (Reason: X-Frame-Options)
+- [http://hindustantimes.com](frameable/hindustantimes.com.html) (Reason: X-Frame-Options)
+- [http://hp.com](frameable/hp.com.html) (Reason: X-Frame-Options)
+- [http://ikea.com](frameable/ikea.com.html) (Reason: X-Frame-Options)
+- [http://imageshack.us](frameable/imageshack.us.html) (Reason: X-Frame-Options)
+- [http://independent.co.uk](frameable/independent.co.uk.html) (Reason: X-Frame-Options)
+- [http://jhu.edu](frameable/jhu.edu.html) (Reason: X-Frame-Options)
+- [http://jstor.org](frameable/jstor.org.html) (Reason: X-Frame-Options)
+- [http://justgiving.com](frameable/justgiving.com.html) (Reason: X-Frame-Options)
+- [http://latimes.com](frameable/latimes.com.html) (Reason: X-Frame-Options)
+- [http://linkedin.com](frameable/linkedin.com.html) (Reason: Error)
+- [http://mailchimp.com](frameable/mailchimp.com.html) (Reason: X-Frame-Options)
+- [http://naver.com](frameable/naver.com.html) (Reason: X-Frame-Options)
+- [http://nytimes.com](frameable/nytimes.com.html) (Reason: X-Frame-Options)
+- [http://oup.com](frameable/oup.com.html) (Reason: Error)
+- [http://outlook.com](frameable/outlook.com.html) (Reason: X-Frame-Options)
+- [http://ovhcloud.com](frameable/ovhcloud.com.html) (Reason: X-Frame-Options)
+- [http://people.com](frameable/people.com.html) (Reason: Content-Security-Policy)
+- [http://php.net](frameable/php.net.html) (Reason: X-Frame-Options)
+- [http://pinterest.fr](frameable/pinterest.fr.html) (Reason: X-Frame-Options)
+- [http://play.google.com](frameable/play.google.com.html) (Reason: X-Frame-Options)
+- [http://playstation.com](frameable/playstation.com.html) (Reason: X-Frame-Options)
+- [http://prezi.com](frameable/prezi.com.html) (Reason: X-Frame-Options)
+- [http://reverbnation.com](frameable/reverbnation.com.html) (Reason: X-Frame-Options)
+- [http://sakura.ne.jp](frameable/sakura.ne.jp.html) (Reason: X-Frame-Options)
+- [http://samsung.com](frameable/samsung.com.html) (Reason: X-Frame-Options)
+- [http://search.yahoo.com](frameable/search.yahoo.com.html) (Reason: X-Frame-Options)
+- [http://spiegel.de](frameable/spiegel.de.html) (Reason: Content-Security-Policy)
+- [http://support.google.com](frameable/support.google.com.html) (Reason: X-Frame-Options)
+- [http://theverge.com](frameable/theverge.com.html) (Reason: Content-Security-Policy)
+- [http://walmart.com](frameable/walmart.com.html) (Reason: X-Frame-Options)
+- [http://webnode.page](frameable/webnode.page.html) (Reason: X-Frame-Options)
+- [http://whitehouse.gov](frameable/whitehouse.gov.html) (Reason: X-Frame-Options)
+- [http://wordpress.org](frameable/wordpress.org.html) (Reason: X-Frame-Options)
+- [http://wp.com](frameable/wp.com.html) (Reason: X-Frame-Options)
+- [http://www.gov.uk](frameable/www.gov.uk.html) (Reason: X-Frame-Options)
+- [http://www.over-blog.com](frameable/www.over-blog.com.html) (Reason: X-Frame-Options)
+- [http://www.yahoo.com](frameable/www.yahoo.com.html) (Reason: X-Frame-Options)
+- [http://yadi.sk](frameable/yadi.sk.html) (Reason: Content-Security-Policy)
+- [http://ytimg.com](frameable/ytimg.com.html) (Reason: Error)
+- [http://zendesk.com](frameable/zendesk.com.html) (Reason: Content-Security-Policy)
+
diff --git a/assignments/Rasmussen/4/data/[email protected] b/assignments/Rasmussen/4/data/[email protected]
@@ -0,0 +1,100 @@
+4shared.com
+abcnews.go.com
+alibaba.com
+aliexpress.com
+aol.com
+apache.org
+apple.com
+arxiv.org
+biblegateway.com
+biglobe.ne.jp
+bloomberg.com
+booking.com
+britannica.com
+buzzfeed.com
+cambridge.org
+cnil.fr
+cnn.com
+cointernet.com.co
+com.com
+cpanel.net
+discord.com
+disqus.com
+doi.org
+drive.google.com
+dropbox.com
+ea.com
+elmundo.es
+espn.com
+feedburner.com
+forms.gle
+g.co
+get.google.com
+gfycat.com
+globo.com
+godaddy.com
+gofundme.com
+goo.ne.jp
+goodreads.com
+google.ru
+gravatar.com
+gsmarena.com
+guardian.co.uk
+hatena.ne.jp
+hindustantimes.com
+hp.com
+ign.com
+ikea.com
+imageshack.us
+independent.co.uk
+jhu.edu
+jstor.org
+justgiving.com
+latimes.com
+liberation.fr
+linkedin.com
+mailchimp.com
+marca.com
+naver.com
+news.com.au
+npr.org
+nytimes.com
+offset.com
+oup.com
+outlook.com
+ovhcloud.com
+people.com
+php.net
+pinterest.fr
+pl.wikipedia.org
+play.google.com
+playstation.com
+plos.org
+prezi.com
+pt.wikipedia.org
+reverbnation.com
+sakura.ne.jp
+samsung.com
+search.yahoo.com
+sina.com.cn
+spiegel.de
+support.google.com
+thefreedictionary.com
+theverge.com
+usgs.gov
+vistaprint.com
+walmart.com
+webmd.com
+webnode.page
+whitehouse.gov
+wikimedia.org
+wordpress.org
+wp.com
+www.gov.uk
+www.over-blog.com
+www.wix.com
+www.yahoo.com
+yadi.sk
+ytimg.com
+zendesk.com
+zippyshare.com
diff --git a/assignments/Rasmussen/4/data/ARASM002_test b/assignments/Rasmussen/4/data/ARASM002_test
@@ -0,0 +1,10 @@
+http://www.4shared.com
+http://www.abcnews.go.com
+http://www.alibaba.com
+http://www.aliexpress.com
+http://www.aol.com
+http://www.apache.org
+http://www.apple.com
+http://www.arxiv.org
+http://www.biblegateway.com
+http://www.biglobe.ne.jp
diff --git a/assignments/Rasmussen/4/frame-path-attack/attacker-page/attacker.html b/assignments/Rasmussen/4/frame-path-attack/attacker-page/attacker.html
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Cookie Security Demo - Attacker Page</title>
+    <style>
+        iframe {
+            width: 100%;
+            height: 200px;
+            border: 1px solid #ccc;
+        }
+        .result {
+            margin-top: 20px;
+            padding: 10px;
+            background-color: #f8f8f8;
+            border: 1px solid #ddd;
+        }
+        .stolen {
+            color: #d63031;
+            font-weight: bold;
+        }
+    </style>
+</head>
+<body>
+    <h1>Cookie Security Demo - Parent Page</h1>
+    <p>This page demonstrates how cookies can be stolen from an iframe when only using Path attribute.</p>
+
+    <h3>Vulnerable iframe:</h3>
+    <iframe src="/frame-path-attack/vulnerable-page"></iframe>
+
+    <div class="result">
+        <h3>Stolen Cookies:</h3>
+        <pre id="cookieDisplay"></pre>
+    </div>
+
+    <script>
+        function extractCookies() {
+            const cookies = document.cookie.split(';');
+            const stolenCookies = cookies.filter(cookie => {
+                const [name] = cookie.trim().split('=');
+                return name === 'sensitiveData' || name === 'clientSideSecret';
+            });
+
+            document.getElementById('cookieDisplay').innerHTML = stolenCookies.length ? 
+                `<span class="stolen">${stolenCookies.join('\n')}</span>` : 
+                'No cookies accessed yet... (try refreshing the page)';
+        }
+
+        // Check for cookies periodically
+        setInterval(extractCookies, 1000);
+
+        // Also check immediately
+        extractCookies();
+    </script>
+</body>
+</html>
diff --git a/assignments/Rasmussen/4/frame-path-attack/vulnerable-page/vulnerable.html b/assignments/Rasmussen/4/frame-path-attack/vulnerable-page/vulnerable.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Vulnerable Page</title>
+</head>
+<body>
+    <h2>Vulnerable Page (iframe content)</h2>
+    <p>This page sets a cookie with only Path attribute protection.</p>
+    <script>
+        // Set another cookie via JavaScript for demonstration
+        document.cookie = "clientSideSecret=sensitive_data;path=/frame-path-attack/vulnerable-page";
+    </script>
+</body>
+</html>
diff --git a/assignments/Rasmussen/4/frameable/4shared.com.html b/assignments/Rasmussen/4/frameable/4shared.com.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>4shared.com</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            text-align: center;
+        }
+        iframe, .not-frameable {
+            width: 80%;
+            height: 600px;
+            border: 1px solid #ccc;
+            margin: 20px auto; /* Center the box */
+        }
+        .not-frameable {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: red;
+            font-size: 24px;
+        }
+    </style>
+</head>
+<body>
+    <h1>4shared.com</h1>
+    <iframe src="http://4shared.com" frameborder="0"></iframe>
+</body>
+</html>
diff --git a/assignments/Rasmussen/4/frameable/abcnews.go.com.html b/assignments/Rasmussen/4/frameable/abcnews.go.com.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>abcnews.go.com</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            text-align: center;
+        }
+        iframe, .not-frameable {
+            width: 80%;
+            height: 600px;
+            border: 1px solid #ccc;
+            margin: 20px auto; /* Center the box */
+        }
+        .not-frameable {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: red;
+            font-size: 24px;
+        }
+    </style>
+</head>
+<body>
+    <h1>abcnews.go.com</h1>
+    <iframe src="http://abcnews.go.com" frameborder="0"></iframe>
+</body>
+</html>
diff --git a/assignments/Rasmussen/4/frameable/alibaba.com.html b/assignments/Rasmussen/4/frameable/alibaba.com.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>alibaba.com</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            text-align: center;
+        }
+        iframe, .not-frameable {
+            width: 80%;
+            height: 600px;
+            border: 1px solid #ccc;
+            margin: 20px auto; /* Center the box */
+        }
+        .not-frameable {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: red;
+            font-size: 24px;
+        }
+    </style>
+</head>
+<body>
+    <h1>alibaba.com</h1>
+    <div class="not-frameable">Website was not frameable</div>
+</body>
+</html>