This coming week I begin a series in INF400 Web Security on a group of attack vectors that work hand in hand – XSS, XSRF, hidden manipulation and parameter tampering (then following it up with SQL injection). It’s pretty easy to demonstrate all these but the tough part comes with explaining how the attacker looks at potential vulnerabilities when the student does not have much experience with HTML or Javascript.
Trying to make sure we get through all of the course material I figure I have just about 4 hours to do a fast script review and then demonstrate it. I’ve put together 4 short demos that will hopefully show how the four vectors get exposed, how the attacker finds the vulnerability and then exploits them – a simple forum post, a simple chat, an (online) shopping cart and a social network community wall. What do you think – any ideas on how to approach it the lecture(s) and get the most across?