This afternoon, I started on project 4 for introduction to information security (IIS). This goal for this project is to have us students learn more about web security and consists of three objectives, manufacturing three web attacks: cross site scripting, cross site forgery and structure query language (SQL) injection attack. And although I’m very familiar with the terms, I’ve actually never carried out any of those attacks in neither an academic or professional setting. In this post, I’ll share some of the things I learned while spending 4 hours in a cafe chipping away at the project.
Cross site request forgery (CSRF)
This attack was very straight forward: inspect the source code of the (PHP) files and carefully tease out which form inputs could be set in the body of the HTTP POST.
Cross site scripting (XSS)