SQL Injection and XSS
Securing web applications is critically important, as web vulnerabilities often provide the initial attack vector to gain access to a target network. Hence, it is imperative to use good programming practices (e.g., the use of prepared statements for database queries) when implementing web applications. This lesson provides an overview of two security vulnerabilities that are often present in web applications – SQL injection and cross-site scripting (XSS). It also covers their mitigation and other techniques to provide defense-in-depth for security.
Learning Objectives
- Describe the following vulnerabilities:
- SQL injection
- Cross-site scripting (XSS)
- Identify techniques to prevent SQL injection and XSS
How to Complete this Lesson
Complete the following learning activities: (2.75–3.25 hours total)
- Sign the acknowledgement regarding offensive cyber techniques (5 minutes)
- Watch the following videos fro the OWASP Appsec Tutorial series:
- SQL Injection (10 minutes)
- Cross Site Scripting (XSS) (10 minutes)
- Attend the class meeting (60 minutes)
- Complete the following exercises to demonstrate attacks against web
applications and how to defend against them:
- SQL injection (5–10 minutes)
- XSS (5–10 minutes)
- Start developing the project website
(75–90 minutes)
- Meet with your team to sketch an initial design and to assign development tasks (15–30 minutes)
- Develop the initial implementation of at least one page for the site (60 minutes)
Resources
- Introduction to Information Assurance (IA) (15 minutes)
- Website security (15–30 minutes)