updating AJAX lesson plans
git-svn-id: http://webgoat.googlecode.com/svn/trunk@247 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -3,7 +3,12 @@
|
||||
</div>
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
<!-- Start Instructions -->
|
||||
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
|
||||
It is always a good practice to validate all input on the server side. XSS can occur
|
||||
when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated
|
||||
user-supplied data is used in conjunction with a Javascript eval() call. In a reflected
|
||||
XSS attack, an attacker can craft a URL with the attack script and store it on another
|
||||
website, email it, or otherwise trick a victim into clicking on it.
|
||||
<!-- Stop Instructions -->
|
||||
<p><b>General Goal(s):</b> </p>
|
||||
For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.
|
||||
For this exercise, your mission is to come up with some input which, when run through eval,
|
||||
will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie.
|
||||
Reference in New Issue
Block a user