dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
lesson_solutions
AccessControlMatrix_files
BackDoors_files
BasicAuthentication_files
BlindSqlInjection_files
CSRF_files
ClientSideFiltering_files
ClientSideValidation_files
CommandInjection_files
ConcurrencyCart_files
DOMInjection_files
DOMXSS_files
DOS_Login_files
FailOpenAuthentication_files
ForcedBrowsing_files
ForgotPassword_files
HiddenFieldTampering_files
HtmlClues_files
HttpBasics_files
HttpOnly_files
HttpSplitting_files
InsecureLogin_files
JSONInjection_files
JavaScriptValidation_files
Lab Access Control
Lab SQL Injection
Lab XSS
images
Lab Block Reflected XSS.html
Lab Block Stored XSS using Input Validation.html
Lab Block Stored XSS using Output Encoding.html
Lab Reflected XSS.html
Lab Stored XSS Revisited.html
Lab Stored XSS.html
LogSpoofing_files
MultiLevelLogin1_files
MultiLevelLogin2_files
PasswordStrength_files
PathBasedAccessControl_files
ReflectedXSS_files
RemoteAdminFlaw_files
SessionFixation_files
SilentTransactions_files
SoapRequest_files
SqlNumericInjection_files
SqlStringInjection_files
StoredXSS_files
ThreadSafetyProblem_files
TraceXSS_files
UncheckedEmail_files
WSDLScanning_files
WeakAuthenticationCookie_files
WeakSessionID_files
WsSAXInjection_files
WsSqlInjection_files
XMLInjection_files
XPATHInjection_files
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
CSRF.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
InsecureLogin.html
JSONInjection.html
JavaScriptValidation.html
LogSpoofing.html
MultiLevelLogin1.html
MultiLevelLogin2.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
SessionFixation.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TraceXSS.html
UncheckedEmail.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
formate.css
lessons
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
29f0222258e4f31cdfd66b92165fa07d957f6a2d
WebGoat/main/project/WebContent/lesson_solutions/Lab XSS/Lab Stored XSS.html
wirth.marcel c001a67b95 Minor Bugfixes 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@338 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-04-14 13:28:25 +00:00

36 lines
2.0 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Block Stored XSS</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
</p>
<p><b>General Goal(s):</b><br/>
For this exercise, you will perform stored and reflected XSS attacks. You will also implement code changes in the web application to defeat these attacks.
</p>
<p><b>Solution:</b><br/>
First Login as Tom with tom as password. Select Tom from the list and click on the View Profile Button.
Now should appear Tom's Profile. Click on the 'Edit Profile' Button and try an XSS attack on the street filed.<br/>
For example: &lt;script&gt;alert("Got Ya");&lt;/script&gt;<br/>
Click on the UpdateProfile Button and Log out.</p><p>
<p>
<img src="/WebGoat/lesson_solutions/Lab XSS/images/stored_xss.png" width=450px alt="stored_xss.png" />
<p>
Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the
ViewProfile Button. Congratulation! You have completed the lesson.
</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink