Update 4 code

assignments/Rasmussen/4/README.md

@@ -73,7 +73,7 @@
 - [http://jstor.org](frameable/jstor.org.html) (Reason: X-Frame-Options)
 - [http://justgiving.com](frameable/justgiving.com.html) (Reason: X-Frame-Options)
 - [http://latimes.com](frameable/latimes.com.html) (Reason: X-Frame-Options)
-- [http://linkedin.com](frameable/linkedin.com.html) (Reason: X-Frame-Options)
+- [http://linkedin.com](frameable/linkedin.com.html) (Reason: Error)
 - [http://mailchimp.com](frameable/mailchimp.com.html) (Reason: X-Frame-Options)
 - [http://naver.com](frameable/naver.com.html) (Reason: X-Frame-Options)
 - [http://nytimes.com](frameable/nytimes.com.html) (Reason: X-Frame-Options)

assignments/Rasmussen/4/index.html

@@ -0,0 +1,50 @@
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Web Security Demo</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            max-width: 800px;
+            margin: 40px auto;
+            padding: 20px;
+            text-align: center;
+        }
+
+        .button {
+            display: block;
+            width: 300px;
+            margin: 20px auto;
+            padding: 15px;
+            background-color: #4CAF50;
+            color: white;
+            text-decoration: none;
+            border-radius: 5px;
+            font-size: 16px;
+            transition: background-color 0.3s;
+        }
+
+        .button:hover {
+            background-color: #45a049;
+        }
+    </style>
+</head>
+<body>
+    <h1>Web Security Demonstration</h1>
+
+    <a href="/check-frameable" class="button">
+        Check Frameable Websites
+    </a>
+
+    <a href="/frame-path-attack/vulnerable-page" class="button">
+        Visit Vulnerable Page
+    </a>
+
+    <a href="/frame-path-attack/attacker-page" class="button">
+        Visit Attacker Page
+    </a>
+</body>
+</html>

assignments/Rasmussen/4/server.js

@@ -11,20 +11,33 @@ app.use('/frameable', express.static(path.join(__dirname, 'frameable')));
 
 // Route for the root URL
 app.get('/', (req, res) => {
-    res.sendFile(path.join(__dirname, 'public', 'index.html'));
+    res.sendFile(path.join(__dirname, './', 'index.html'));
 });
 
 // Route for the vulnerable page
 app.get('/frame-path-attack/vulnerable-page', (req, res) => {
-    // Set a cookie with only Path attribute
+    // Remove X-Frame-Options header to ensure framing works
+    res.removeHeader('X-Frame-Options');
+
+    // Set multiple cookies to increase chances of demonstration
     res.cookie('sensitiveData', 'secret123', {
         path: '/frame-path-attack/vulnerable-page',
-        httpOnly: false // Making it accessible via JavaScript for demo
+        httpOnly: false,
+        sameSite: 'Lax'  // Changed to Lax which is more permissive than Strict
+    });
+
+    res.cookie('sessionId', 'demo-session-12345', {
+        path: '/frame-path-attack/vulnerable-page',
+        httpOnly: false,
+        sameSite: 'Lax'
     });
 
+    // Add headers to explicitly allow framing
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Credentials', 'true');
+
     res.sendFile(path.join(__dirname, 'frame-path-attack/vulnerable-page', 'vulnerable.html'));
 });
-
 // Route for the attacker page
 app.get('/frame-path-attack/attacker-page', (req, res) => {
     res.sendFile(path.join(__dirname, 'frame-path-attack/attacker-page', 'attacker.html'));