You are asked to identify the following vulnerabilities

CSRF vulnerabilities that can be utilized to achieve the following attacks.

Adding a friend: normally one tunestore user needs to send out friend request to another user and can

only become friend with that user if the request is approved. Now, please utilize the combination of CSRF

Reflective XSS attacks to bypass the user authorization step and add friends without the victim's

awareness.

Give gift: You can use a newly registered account that is topped up with some money $($via SQL injection$)$ as

the victim target. Then use that account to purchase one album. Then, you can utilize the CSRF $+$

Reflective XSS attacks to make the victim send the CD as gift to another account.

Change password: change the password of a victim account $($created by you$)$ without requiring the user to

open the Profile page.

For this attack, you will need to prepare a simple attack webpage that contains malicious url in hyperlinks or

buttons $($for reflected XSS$)$ so that when the victim has both the Tunestore and this page opened and clicked

these links$/$buttons$,$ the malicious actions can be executed without authentication.

Identify a broken access control vulnerability. For this attack, you only need to find the url that can prove

that one Tunestore account can operate another account's resources without authentication.

Write and successfully demonstrate an attack that exploits the DOM$-$XSS vulnerability to harvest user login

credentials by changing the submission link to a phishing web site.

This attack will be similar to the task $1.$ I recommend you to use the webhook. site $$ as the destination of the

malicious endpoint for collecting users' credential.

Write an attack document $($email$,$ word doc, webpage, or PDF$)$ that can trigger this attack via a link.

Create a web page that performs a clickjacking attack against the "add friend" function.

Hosting Your Own Webpages for CSRF:

Project Format Example: SecurityFirst$-$SampleReport$-1.$pdf darr

For this report, make sure to have screenshots going through each attack as well as the source code for each

attack page.

Please add report of the above to the report you submitted in project I, following the same format.

A control system is given by the block diagram below, where $G(s)=\frac{1}{s+a},H_1(s)=1,H_2(s)=s+b,$ and $a=4,b=8.$

Find the transfer function $G(s)=\frac{C(s)}{R(s)}=\frac{s+c}{2s+d}$

Enter the value d