CSCD 303 Lab5 XSS, CSRF, SQL-Injection - Part 1
Due: March 5, 2014

Instructions
For this lab you will be learning about Cross Site Scripting and SQL-Injection. This will be part 1 of the lab for you to understand the threats and read about the problems with these types of attacks. You will be accessing the background links, reading the material and answering the questions. Then, the next week, we will be trying out the attacks in a lab either on-line or in the lab.



Background Reading and Tutorials

Go to the links below and read about the XSS, CSFR and SQL-injection attacks.
OWASP XSS Pages
OWASP XSS Pages
OWASP Site on CSRF
OWASP Site on CSRF
More XSS Information
XSS Tutorial
SQL-Injection OWASP again
OWASP SQL-injection
A practice site from sqlZoo
SQLzoo hack site
SQL Injection from W3Schools.com
W3Schools Site

Or, find some of your own references and please include them in your Lab write-up if you find some good ones.

Questions XSS and CSRF
1. What is XSS? Describe it briefly.
2. What is CSRF?
3. What is the difference between Reflected and Stored/Persistent XSS?
4. What do attackers gain from running XSS attacks against users?
5. Name two ways to prevent XSS attacks?
6. How do you prevent CSRF attacks if you are a developer?

Questions on SQL Injection
1. What is SQL-Injection? Describe it briefly.
2. Provide an example of an SQL-injection attack.
3. How do you prevent an SQL-injection attack?
4. What can attackers achieve with an SQL-injection attack?

Turn In
1. Email me the answers to the questions.
2. Put CSCD303-Lab5 in the subject