Cross-Site Scripting (XSS) typically originates from failing to sufficiently sanitize user-generated content. We’ll look at how several types of seemingly benign user input can be used to inject some troublesome code into a web application.

Find a way to use a cross-site scripting attack to inject a malicious script into the example web application, such that the user’s username and password are sent to a RequestBin when they attempt to login. The operation of the application should not be obviously affected.

Use some content sanitization techniques to ensure that raw user-generated content isn’t used dangerously. This should result in your previous XSS attack being "disarmed".

Cross-Site Request Forgery Attacks (CSRF) attacks force users to take unwanted actions in an application to which they're currently authenticated. We'll look at how this attack works, and what we can do to mitigate against it.

Stage a CSRF attack against the online banking example app to get users who click a particular link to transfer funds from their account to another one.

Use a CSRF token to defend against request forgery attacks. Your attack in the previous exercise should no longer work.

Break for lunch

Clickjacking involves carefully placing a transparent frame in a way that tricks the user into clicking a legitimate button, ultimately resulting in users performing an unintentional action in another web application.

Stage a clickjacking attack using the example web application, by positioning a transparent frame of the "Blue" web application over the "Red" web application.

Use the X-Frame-Options headers on the HTTP response for the "Blue" web application. This should disarm your previous Clickjacking attack.