0 of 4

Demo: Stored XSS versus CSP


This lab demonstrates a cross-site scripting (XSS) vulnerability. We'll show how to upload malicious content to the web server that could harm other users (or the site itself), then how to use Content Security Policy as one way of providing protection against this attack.

The most famous stored XSS exploit is the Samy worm that affected over one million MySpace users in under 20 hours using injected JavaScript. As more recent examples, stored XSS vulnerabilities have been found in WordPress, Trello's iPhone app, and VK (Russian social network), to name a few.

To get the most out of this lab, you should be familiar with:

  • basic JavaScript
  • how to navigate the bash terminal
  • using a command line editor (vim, nano, or emacs)

Enter the command boot at the terminal to launch the application, which will give you a link. Copy this URL into a new browser tab to load the web app. Once the app has loaded, click Next to begin the lab.