top of page

The Security Sip

Prepare for a career in Cybersecurity, one sip at a time.

~
Learn a new cybersecutiy topic each day in an order that encourages learning and prepares you to be a cybersecurity professional.

Curriculum - Expertly Designed

Learn the essential cybersecurity concepts that build on each other each day by design. Start with the fundamentals and progress to advanced topics, ensuring you build a solid foundation but still learn all the dense topics.

Phase I

Week 1

Security Fundamentals

Week 2

Network Fundamentals

Week 3

Linux Fundamentals

Phase II

Week 4

Authentication

and

Authorization

Week 5

Threat Intelligence

Week 6

Python for Security

Phase III

Week 7

Web Application

Security

Week 8

Corporate Security

Week 9

Cloud Security

Week 10

Incident Response

Phase IV

Week 11

Secure Coding

Practices

Week 12

Advanced Topics

Give it a try! Carefully crafted exercises each day.

Real Exercise: An example of a real exercise from The Security Sip, designed to drive home the curriculum you just covered.

​

Solutions: Keep scrolling to see the solution, explained to encourage learning and get you ready to think like the pros. Paying customers will receive the previous day's solution.

Scenario: Cross-Site Scripting (XSS)

In this exercise, you’re provided with a simple HTML code snippet that is meant to mimic a basic login page. Scan the code and make sense of it. Paste it into an IDE of your choice and render it to view in your browser if you wish to interact with it. Your task is to identify a payload that, when executed by the hypothetical user, would trigger a JavaScript `alert()` function. Create a payload and figure out where you can inject it.

<html>

  <body>

        <h1>The Cybersec Cafe Presents: The Security Sip</h1>

        <h3>Welcome, please sign in.</h3>

        <p>Enter your credentials:</p>

        <input type="text" id="username">

        <input type="password" id="password">

        <button onclick="printUserName()">Enter</button>

        <p id="output"></p>

        <script>

            function printUserName() {

                const usernameObj = document.getElementById("username").value;

                const passwordObj = document.getElementById("password").value;

                const outputObj = document.getElementById("output");

                if (usernameObj.length > 0 && passwordObj.length > 0){

                    outputObj.innerHTML = "Welcome to the Security Sip " + usernameObj + "!"

                } else {

                    outputObj.innerHTML = "Please enter username and password."

                }

            }

        </script>

  </body>

</html>

Solution

Sample Payload:

"<img src=1 onerror="alert('Try the Security Sip!')">

Paste the HTML code into an IDE of your choice to understand how it looks and works.

 

In this payload, an `<img>` tag is used, and the `onerror` attribute is employed to execute JavaScript when the image fails to load since the `src` attribute is set to an invalid source.

 

This payload triggers an XSS vulnerability in the provided HTML because of:

  • User Input Reflection: The vulnerability arises from the fact that the HTML code takes user input for the `username` field without properly validating or sanitizing it.

const usernameObj = document.getElementById("username").value;

  • Injection in Username Field: An attacker can input the malicious payload into the username field.

  • Output in HTML: The script responsible for output directly inserts the user-provided input into the HTML without proper escaping.

"<img src=1 onerror="alert('Try the Security Sip!')">

  • Execution of the Malicious Script: When the payload is entered into the username field, the script is reflected in the HTML response. Upon rendering the HTML, the browser interprets the `<img>` tag, attempts to load an image from the specified source (`src=1`), and triggers the `onerror` event. The `onerror` event executes the JavaScript code inside it, which is an alert displaying our message: “Try the Security Sip!”

  • Alert Box Execution: When the HTML is rendered, the injected script executes, and the alert box pops up, demonstrating that the XSS vulnerability has been successfully exploited.

Invest in Yourself

Pick the Plan that works for you!

Free

  • Daily Curriculum

  • Exercises for Each Topic

Standard

  • Everything in Free Plan

  • Daily Solutions

  • Weekly Introductions

  • Zero Advertisements

On-Demand

  • Everything in Standard Plan

  • Instant Access to All Material

FAQ

Will I receive solutions to the problems I've already seen?

Yes! If you decide to purchase The Security Sip, you'll receive solutions for the curriculum you've already passed. If you purchase the On Demand version, you'll receive all the curriculum at once!

I'm having trouble figuring out how to solve one of the exercises.

That is completely normal, these exercises are meant to mimic real-life scenarios and use cases.  Part of the process of working in cybersecurity is learning how to work through difficult problems. You won't always know the answer!

My question isn't on this list!

Please reach out to us and we will get back to you as soon as possible. You can find our contant info on the Contact  Page.

bottom of page