Cross-site scripting (XSS) [Nov. 2, 2011, 4:08 p.m.]
Lesson
In WebGoat read the lessons under “Cross Site Scripting."
Lab
Work the exercises of "Cross Site Scripting.”
The exercises to improve WebGoat are not mandatory (try them if you have experience with Java).
To prevent this kind of attack in PHP as noted in http://dhobsd.pasosdejesus.org/index.php?id=Web+application+security+in+PHP:
- If you need to emit text in HTML that includes user input, use the function htmlentities or the function htmlspecialchars.
- If you need to use an URL that can include user input, use the function urlencode
Discuss
Briefly discuss your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Was it too much or too little work? Anything to add to it to make it better for the next round of students? Anything else you’d like to discuss about this week’s lesson?
A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!