6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
25 lines
1.0 KiB
HTML
25 lines
1.0 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting
|
|
(XSS)</p>
|
|
</div>
|
|
<p><b>Concept / Topic To Teach:</b></p>
|
|
<!-- Start Instructions -->
|
|
It is always a good practice to scrub all inputs, especially those
|
|
inputs that will later be used as parameters to OS commands, scripts,
|
|
and database queries. It is particularly important for content that will
|
|
be permanently stored somewhere. Users should not be able to create
|
|
message content that could cause another user to load an undesirable
|
|
page or undesirable content when the user's message is retrieved.
|
|
<br>
|
|
XSS can also occur when unvalidated user input is used in an HTTP
|
|
response. In a reflected XSS attack, an attacker can craft a URL with
|
|
the attack script and post it to another website, email it, or otherwise
|
|
get a victim to click on it.
|
|
<!-- Stop Instructions -->
|
|
<p><b>General Goal(s):</b></p>
|
|
For this exercise, you will perform a stored XSS attack.
|
|
You will also implement code changes in the database to defeat
|
|
these attacks.
|
|
<br>
|
|
|