0 of 4

Demo: Stored XSS versus CSP

Intro

This lab demonstrates a cross-site scripting (XSS) vulnerability. We'll show how to upload malicious content to the web server that could harm other users (or the site itself), then how to use Content Security Policy as one way of providing protection against this attack.

The most famous stored XSS exploit is the Samy worm that affected over one million MySpace users in under 20 hours using injected JavaScript. As more recent examples, stored XSS vulnerabilities have been found in WordPress, Trello's iPhone app, and VK (Russian social network), to name a few.

To get the most out of this lab, you should be familiar with:

  • basic JavaScript
  • how to navigate the bash terminal
  • using a command line editor (vim, nano, or emacs)

Your web application will boot automatically. Once a link appears in the terminal, visit the provided URL in a new browser tab to view your app.