README.md

HTML Injection and Cross-Site Security (XSS and CSRF) Demonstration

This project demonstrates how to conduct and prevent XSS attacks

Install

git clone <...>
cd demo_xss
bundle install

Execute

ruby app.rb

Now view at the site at http://localhost:4567 or whichever port it is on.

Play

Look at the running site and open the 'hacking instructions' link to see what kind of text input you could enter to conduct a script injection attack.

Search within the code of this project (*.rb and views/*.slim) for 'XSS' -- you should find comments on how make modifications to prevent XSS attacks.

Readings on XSS

• Overview of XSS Concepts
  • How to Prevent XSS
  • An Overview of HTTP Security Headers
• XSS Security
  • Content Security Policy (CSP)
    • An Introduction to Content Security Policy
    • Content Security Policy 1.0
  • Subresource Integrity and CORS
    • Subresource Integrity: Securing CDN loaded assets
• Cookie Security
  • Protecting Your Cookies: HttpOnly
  • Preventing CSRF with the *same-site• cookie attribute