Security demos
A collection of interesting attack scenarios
| Attack | Live demo | Source / description | How to fix it / protect yourself |
|---|---|---|---|
| From XSS to account takeover |
https://demo.mkcn.me/XSS/
|
Achieve account takeover, using an XSS which changes the email address of the victim account | When implementing a change email feature, besides using an anti-CSRF token and enable all security flags for cookies, also require the user to enter the current password |
| From SSRF to AWS credentials |
https://demo.mkcn.me/SSRF-AWS/
|
Steal AWS metadata credentials with a Server Side Request Forgery (SSRF) vulnerability. Real world example: CVE-2021-21311 | If possible generate the URL on server-side, always do input validation and replace the old IMDSv1 with IMDSv2 (Instance Metadata Service v2) on AWS to makes SSRF attacks more difficult |
| Email spoofing |
https://demo.mkcn.me/email/
|
All you need to send fake emails is a server and a couple of lines of code |
For sysadmin: enable SPF, DKIM, and DMARC For users: manually check the source headers of suspicious emails |
| Browser in the browser |
https://demo.mkcn.me/BITB/
|
Steal Google credentials with a fake Single sign-on (SSO) pop-up window. Source: https://mrd0x.com/browser-in-the-browser-phishing-attack/ | Use a password manager with browser extension or check if the popup-window can be moved outsite the main one |
| PasteJacking |
https://demo.mkcn.me/pastejacking/
|
Copy and paste commands from untrusted websites may be enough to install malware on your machine. In this demo only an empty file will be created in your desktop. Source: https://github.com/dxa4481/Pastejacking |
For Linux:
add set enable-bracketed-paste off in the ~/.bashrcFor Windows: enable the multiline past warning Finally, use a clipboard manager to check and monitor your clipboard |
| Web CTF challenge |
https://demo.mkcn.me/CTF-basic/
|
Solve the web challenge! All you need is a browser | - |