Part 8 Lab Solutions 2

Video Activity

This lesson offers a lab and solution for stored cross site scripting. It is important for content stored in an application. If someone is able to put anything they desire, a malicious JavaScript can be stored to hack a cookie. In order for information to remain secure, users cannot be allowed to post without things running through an input validat...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This lesson offers a lab and solution for stored cross site scripting. It is important for content stored in an application. If someone is able to put anything they desire, a malicious JavaScript can be stored to hack a cookie. In order for information to remain secure, users cannot be allowed to post without things running through an input validation.

Video Transcription
00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny wear, and this is a WASP Top 10 for 2013 a three cross I scripting lab and solution.
00:18
This is the lab and solution for Web goat stored cross site scripting exercise.
00:24
This is the lab solution for the cross side scripting stored cross site scripting attacks. Now stored cross site scripting attacks actually are JavaScript attacks that become part of the trusted page itself? So they're they're quite dangerous
00:43
now in the lesson plan. It says it's always good practice to scrub all input, especially those inputs that will later be used as parameters to OS command scripts and database queries.
00:58
It's particularly important for content that will be permanently stored somewhere in the application.
01:04
Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's messages retrieved.
01:19
And so what they're alluding to here is if I go ahead and type in a message,
01:26
blew all
01:30
and I am able to put any message here that I like I could actually deviously put some JavaScript code that would actually grab
01:44
people's cookie when they click on my message, right? And so here,
01:52
when someone goes to read my post and click my post, then they would become my victim.
01:59
Great. Okay, so I'm gonna hack your cookie.
02:02
And so
02:05
the explanation here is that you basically do not want to
02:10
allow users to be able to post anything. First of all, anything that's posted you want to make sure runs through input validation,
02:21
especially before you decide to have it house permanently inside of your database and then likewise on the outbound. You want to make sure that anything you pull from the database or pull from a file or someplace where it's contained permanently you.
02:39
If you're going to display that, back out to your Web application, make sure that you do your output in coding.
02:46
And so here we have received a credit for this particular lesson.
Up Next