RCX Security
The Security Sip
Prepare for a career in Cybersecurity, one sip at a time.
~
Learn a new cybersecutiy topic each day in an order that encourages learning and prepares you to be a cybersecurity professional.
Curriculum - Expertly Designed
Learn the essential cybersecurity concepts that build on each other each day by design. Start with the fundamentals and progress to advanced topics, ensuring you build a solid foundation but still learn all the dense topics.
Phase I
Week 1
Security Fundamentals
Week 2
Network Fundamentals
Week 3
Linux Fundamentals
Phase II
Week 4
Authentication
and
Authorization
Week 5
Threat Intelligence
Week 6
Python for Security
Phase III
Week 7
Web Application
Security
Week 8
Corporate Security
Week 9
Cloud Security
Week 10
Incident Response
Phase IV
Week 11
Secure Coding
Practices
Week 12
Advanced Topics
Give it a try! Carefully crafted exercises each day.
Real Exercise: An example of a real exercise from The Security Sip, designed to drive home the curriculum you just covered.
​
Solutions: Keep scrolling to see the solution, explained to encourage learning and get you ready to think like the pros. Paying customers will receive the previous day's solution.
Scenario: Cross-Site Scripting (XSS)
In this exercise, you’re provided with a simple HTML code snippet that is meant to mimic a basic login page. Scan the code and make sense of it. Paste it into an IDE of your choice and render it to view in your browser if you wish to interact with it. Your task is to identify a payload that, when executed by the hypothetical user, would trigger a JavaScript `alert()` function. Create a payload and figure out where you can inject it.
<html>
<body>
<h1>The Cybersec Cafe Presents: The Security Sip</h1>
<h3>Welcome, please sign in.</h3>
<p>Enter your credentials:</p>
<input type="text" id="username">
<input type="password" id="password">
<button onclick="printUserName()">Enter</button>
<p id="output"></p>
<script>
function printUserName() {
const usernameObj = document.getElementById("username").value;
const passwordObj = document.getElementById("password").value;
const outputObj = document.getElementById("output");
if (usernameObj.length > 0 && passwordObj.length > 0){
outputObj.innerHTML = "Welcome to the Security Sip " + usernameObj + "!"
} else {
outputObj.innerHTML = "Please enter username and password."
}
}
</script>
</body>
</html>
Solution
Sample Payload:
"<img src=1 onerror="alert('Try the Security Sip!')">
Paste the HTML code into an IDE of your choice to understand how it looks and works.
In this payload, an `<img>` tag is used, and the `onerror` attribute is employed to execute JavaScript when the image fails to load since the `src` attribute is set to an invalid source.
This payload triggers an XSS vulnerability in the provided HTML because of:
-
User Input Reflection: The vulnerability arises from the fact that the HTML code takes user input for the `username` field without properly validating or sanitizing it.
const usernameObj = document.getElementById("username").value;
-
Injection in Username Field: An attacker can input the malicious payload into the username field.
-
Output in HTML: The script responsible for output directly inserts the user-provided input into the HTML without proper escaping.
"<img src=1 onerror="alert('Try the Security Sip!')">
-
Execution of the Malicious Script: When the payload is entered into the username field, the script is reflected in the HTML response. Upon rendering the HTML, the browser interprets the `<img>` tag, attempts to load an image from the specified source (`src=1`), and triggers the `onerror` event. The `onerror` event executes the JavaScript code inside it, which is an alert displaying our message: “Try the Security Sip!”
-
Alert Box Execution: When the HTML is rendered, the injected script executes, and the alert box pops up, demonstrating that the XSS vulnerability has been successfully exploited.
Invest in Yourself
Pick the Plan that works for you!
Free
-
Daily Curriculum
-
Exercises for Each Topic
Standard
-
Everything in Free Plan
-
Daily Solutions
-
Weekly Introductions
-
Zero Advertisements
On-Demand
-
Everything in Standard Plan
-
Instant Access to All Material