Workshop 2: SQL Injection & Cross-Site Scripting

As we return back to Standard Time in Canada, our next workshop is slowly approaching on Friday, November 8th.

Smashing the Web is our next workshop being led by Spencer Lee on Friday November 8. This workshop will cover SQL injection (SQLi) and cross site scripting (XSS), spanning introductory examples to complex real world problems.

Software and Hardware:

You will need the following ready and running for the workshop:

  • A laptop with Linux running natively or in a virtual machine
    • The Linux host or VM will also need to have docker and docker-compose installed as well as any web browser (Firefox, Chrome, etc.)

For simplicity, we’ve created the following VMWare Virtual Machine image. It is pre-loaded with all the tools you need. Please download it BEFORE the workshop (it’s ~ 3.9G!). We will be going over how to load it into VMWare during the workshop (so please make sure you have VMWare Player or VMWare Workstation installed by then).

Download Link to Virtual Machine:

Our rough guide for the entire workshop is as follows:
First half – SQL
Intro to basic SQL
Minimal PHP syntax coverage
Overview of injecting SQL into <input> tags
four login examples
two search bar examples
Second half – XSS
Installing local website with docker (github link will be provided)
Overview of XSS scripting
Introduction to Basic Javascript
XSS demonstration
Using local the local web server
– we’ll practice many different XSS attacks in partners

Last but not least here so take home resources to read up on both before and after the workshop.
Take Home Resources: