mro-admin/medienkompetenz-lernplattform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
medienkompetenz-lernplattform/XSS_LESSON_MERGE.md
Marius Rometsch a439873394 Add lessons
2026-02-08 19:47:21 +01:00

4.5 KiB
Raw Permalink Blame History

XSS Lessons Merge - Summary

Changes Made

Successfully combined the two XSS lessons into a single comprehensive lesson:

New Files Created

  1. Backend Config:

    • /backend/lessons/configs/xss-comprehensive.yaml
    • Combines content from both xss-deeplink-demo.yaml and script-injection-forum.yaml
    • Duration: 35 minutes (combined from 20 + 25)
    • Total points: 100 (distributed across 4 questions)

  2. Backend Module:

    • /backend/lessons/modules/xss-comprehensive/index.js
    • Merges functionality from both XSS modules
    • Handles both interactive components:
      • testXSSPayload() for reflected XSS demo (XSSDeeplinkDemo)
      • addComment() for stored XSS demo (ForumScriptDemo)

Lesson Structure

The combined lesson flows as follows:

  1. Introduction - What is XSS? (covers both reflected and stored)
  2. Reflected XSS - URL parameter injection explanation
  3. Interactive Demo 1 - XSSDeeplinkDemo (reflected XSS)
  4. Question 1 - Multiple choice (25 pts): Identify reflected XSS payloads
  5. Stored XSS - Persistent attacks explanation
  6. Real-World Examples - Samy Worm, TweetDeck, eBay, British Airways
  7. Interactive Demo 2 - ForumScriptDemo (stored XSS)
  8. Question 2 - Multiple choice (25 pts): Identify stored XSS payloads
  9. Attack Vectors - Common XSS techniques
  10. Question 3 - Single choice (30 pts): Why stored XSS is more dangerous
  11. Prevention - Defense-in-depth approach
  12. Question 4 - Single choice (20 pts): Most effective prevention method

Content Removed

Free text questions removed:

  • Old Question 3 from xss-deeplink-demo (30 pts)
  • Old Question 3 from script-injection-forum (30 pts)

Developer-specific content removed:

  • Framework security features (React, Angular, Vue)
  • Dangerous functions to avoid (dangerouslySetInnerHTML, bypassSecurityTrust, v-html)
  • Framework-specific implementation details

Content Retained

User-focused prevention techniques:

  • Output encoding (HTML, JavaScript, URL, CSS contexts)
  • Content Security Policy (CSP)
  • Input validation
  • HTTPOnly and Secure cookies
  • Web Application Firewall (WAF)
  • Regular security audits

Old Files

The following files are now deprecated but kept for reference:

  • /backend/lessons/configs/xss-deeplink-demo.yaml (deprecated)
  • /backend/lessons/configs/script-injection-forum.yaml (deprecated)
  • /backend/lessons/modules/xss-deeplink-demo/index.js (deprecated)
  • /backend/lessons/modules/script-injection-forum/index.js (deprecated)

Note: The frontend components are still used and should NOT be removed:

  • /frontend/src/components/lessons/InteractiveContent/XSSDeeplinkDemo.jsx (ACTIVE)
  • /frontend/src/components/lessons/InteractiveContent/ForumScriptDemo.jsx (ACTIVE)

How to Use the New Lesson

1. Add to Database

If you have a seed script, add the new lesson:

// In your seed script
const xssComprehensive = await Lesson.create({
  lessonKey: 'xss-comprehensive',
  title: 'Cross-Site Scripting (XSS) - Reflected & Stored Angriffe',
  description: 'Lernen Sie, wie XSS-Angriffe durch URL-Manipulation und benutzergenerierte Inhalte funktionieren und wie man sie erkennt',
  difficultyLevel: 'intermediate',
  estimatedDuration: 35,
  configPath: 'backend/lessons/configs/xss-comprehensive.yaml',
  modulePath: 'backend/lessons/modules/xss-comprehensive'
});

2. Remove Old Lessons (Optional)

If desired, you can remove the old separate XSS lessons from the database:

-- Mark old lessons as inactive or delete them
UPDATE lessons SET is_active = false
WHERE lesson_key IN ('xss-deeplink-demo', 'script-injection-forum');

3. Assign to Events

The new comprehensive lesson can now be assigned to events just like any other lesson.

Testing Checklist

  • Backend module loads correctly
  • XSSDeeplinkDemo interactive component works
  • ForumScriptDemo interactive component works
  • All 4 questions validate correctly
  • Scoring totals to 100 points
  • 70% passing score works (70 out of 100)
  • No developer-specific content visible to users
  • No free text questions present
  • All content is in German

Point Distribution

Question Type Points Topic
Q1 Multiple Choice 25 Identify reflected XSS payloads
Q2 Multiple Choice 25 Identify stored XSS payloads
Q3 Single Choice 30 Why stored XSS is more dangerous
Q4 Single Choice 20 Most effective prevention method
Total 100

Passing Score: 70 points (70%)