mro-admin/medienkompetenz-lernplattform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
medienkompetenz-lernplattform/XSS_LESSON_MERGE.md
Marius Rometsch a439873394 Add lessons
2026-02-08 19:47:21 +01:00

129 lines
4.5 KiB
Markdown
Raw Permalink Blame History

# XSS Lessons Merge - Summary
## Changes Made
Successfully combined the two XSS lessons into a single comprehensive lesson:
### New Files Created
1. **Backend Config:**
- `/backend/lessons/configs/xss-comprehensive.yaml`
- Combines content from both `xss-deeplink-demo.yaml` and `script-injection-forum.yaml`
- Duration: 35 minutes (combined from 20 + 25)
- Total points: 100 (distributed across 4 questions)
2. **Backend Module:**
- `/backend/lessons/modules/xss-comprehensive/index.js`
- Merges functionality from both XSS modules
- Handles both interactive components:
- `testXSSPayload()` for reflected XSS demo (XSSDeeplinkDemo)
- `addComment()` for stored XSS demo (ForumScriptDemo)
### Lesson Structure
The combined lesson flows as follows:
1. **Introduction** - What is XSS? (covers both reflected and stored)
2. **Reflected XSS** - URL parameter injection explanation
3. **Interactive Demo 1** - XSSDeeplinkDemo (reflected XSS)
4. **Question 1** - Multiple choice (25 pts): Identify reflected XSS payloads
5. **Stored XSS** - Persistent attacks explanation
6. **Real-World Examples** - Samy Worm, TweetDeck, eBay, British Airways
7. **Interactive Demo 2** - ForumScriptDemo (stored XSS)
8. **Question 2** - Multiple choice (25 pts): Identify stored XSS payloads
9. **Attack Vectors** - Common XSS techniques
10. **Question 3** - Single choice (30 pts): Why stored XSS is more dangerous
11. **Prevention** - Defense-in-depth approach
12. **Question 4** - Single choice (20 pts): Most effective prevention method
### Content Removed
**Free text questions removed:**
- Old Question 3 from xss-deeplink-demo (30 pts)
- Old Question 3 from script-injection-forum (30 pts)
**Developer-specific content removed:**
- Framework security features (React, Angular, Vue)
- Dangerous functions to avoid (dangerouslySetInnerHTML, bypassSecurityTrust, v-html)
- Framework-specific implementation details
### Content Retained
**User-focused prevention techniques:**
- Output encoding (HTML, JavaScript, URL, CSS contexts)
- Content Security Policy (CSP)
- Input validation
- HTTPOnly and Secure cookies
- Web Application Firewall (WAF)
- Regular security audits
## Old Files
The following files are now **deprecated** but kept for reference:
- `/backend/lessons/configs/xss-deeplink-demo.yaml` (deprecated)
- `/backend/lessons/configs/script-injection-forum.yaml` (deprecated)
- `/backend/lessons/modules/xss-deeplink-demo/index.js` (deprecated)
- `/backend/lessons/modules/script-injection-forum/index.js` (deprecated)
**Note:** The frontend components are still used and should NOT be removed:
- `/frontend/src/components/lessons/InteractiveContent/XSSDeeplinkDemo.jsx` (ACTIVE)
- `/frontend/src/components/lessons/InteractiveContent/ForumScriptDemo.jsx` (ACTIVE)
## How to Use the New Lesson
### 1. Add to Database
If you have a seed script, add the new lesson:
```javascript
// In your seed script
const xssComprehensive = await Lesson.create({
lessonKey: 'xss-comprehensive',
title: 'Cross-Site Scripting (XSS) - Reflected & Stored Angriffe',
description: 'Lernen Sie, wie XSS-Angriffe durch URL-Manipulation und benutzergenerierte Inhalte funktionieren und wie man sie erkennt',
difficultyLevel: 'intermediate',
estimatedDuration: 35,
configPath: 'backend/lessons/configs/xss-comprehensive.yaml',
modulePath: 'backend/lessons/modules/xss-comprehensive'
});
```
### 2. Remove Old Lessons (Optional)
If desired, you can remove the old separate XSS lessons from the database:
```sql
-- Mark old lessons as inactive or delete them
UPDATE lessons SET is_active = false
WHERE lesson_key IN ('xss-deeplink-demo', 'script-injection-forum');
```
### 3. Assign to Events
The new comprehensive lesson can now be assigned to events just like any other lesson.
## Testing Checklist
- [ ] Backend module loads correctly
- [ ] XSSDeeplinkDemo interactive component works
- [ ] ForumScriptDemo interactive component works
- [ ] All 4 questions validate correctly
- [ ] Scoring totals to 100 points
- [ ] 70% passing score works (70 out of 100)
- [ ] No developer-specific content visible to users
- [ ] No free text questions present
- [ ] All content is in German
## Point Distribution
| Question | Type | Points | Topic |
|----------|------|--------|-------|
| Q1 | Multiple Choice | 25 | Identify reflected XSS payloads |
| Q2 | Multiple Choice | 25 | Identify stored XSS payloads |
| Q3 | Single Choice | 30 | Why stored XSS is more dangerous |
| Q4 | Single Choice | 20 | Most effective prevention method |
| **Total** | | **100** | |
**Passing Score:** 70 points (70%)
Reference in New Issue View Git Blame Copy Permalink