Group activity website defacement via XSS playground

Posted December 4, 2019 | View revision history

lol I’m teaching Web Security today to my b-school students. It’s a collection of miscellaneous random attacks possible against content hosted online – XSS, SQLi, cloud storage bucket permissions, shopping cart attacks. I like live-demoing XSS website defacement during the class lecture. All students have access to DVWA via their metasploitable2 instances, but I wanted a way where we could all deface the same website, for the visual impact. Figured one out – DVWA has a docker container, and GCP makes it easy to launch docker instances as GCP virtual instances. Two commands in gcloud:

Set up a tagged firewall rule that lets port 80 (http) traffic through:

gcloud compute firewall-rules create allow-http --allow tcp:80 --target-tags http-server

Launch the containerized instance, pointing to the docker hub dvwa container, and assigning it the http-server tag so that the firewall rule created in the above steps lets port 80 traffic through:

gcloud compute instances create-with-container dvwa --container-image vulnerables/web-dvwa --tags http-server

Once that finishes spinning up, one can visit the public ip address of their instance, and DVWA will be ready to go. The public IP can be found from the GCP web console.

If perchance it gets compromised and wrecked by an internet denizen before I can demo the site to the class, or if perchance a student wrecks it, it’s easy enough to spin up a fresh dvwa instance by rerunning the gcloud create command above. Be mindful that you can’t have two instances with the same name, though (dvwa in the example above).

Edit: This idea of allowing students to anonymously edit a site that I am displaying in front of the class could have, and probably will have, catastrophic consequences. YOLO.


David Eargle is an Assistant Professor at the University of Colorado Boulder in the Leeds School of Business. He earned his Ph.D. degree in Information Systems from the University of Pittsburgh. His research interests include human-computer interaction and information security. He has coauthored several articles in these areas using neurophysiological and other methodologies in outlets such as the Journal of the Association for Information Systems, the European Journal of Information Systems, the International Conference on Information Systems, and the Hawaii International Conference on System Sciences), along with the Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). More about the author →

This page is open source. Please help improve it.