This course will become read-only in the near future. Tell us at community.p2pu.org if that is a problem.

Cross-site scripting (XSS) [Nov. 2, 2011, 4:08 p.m.]


Lesson

In WebGoat read the lessons under “Cross Site Scripting."

 

Lab

Work the exercises of "Cross Site Scripting.

The exercises to improve WebGoat are not mandatory (try them if you have experience with Java).  

To prevent this kind of attack in PHP as noted in  http://dhobsd.pasosdejesus.org/index.php?id=Web+application+security+in+PHP:

  • If you need to emit text in HTML that includes user input, use the function htmlentities or the function htmlspecialchars.
  • If you need to use an URL that can include user input, use the function urlencode

 

Discuss

Briefly discuss your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Was it too much or too little work? Anything to add to it to make it better for the next round of students? Anything else you’d like to discuss about this week’s lesson?

A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!