Summary  
This chapter explains how to validate and escape user input to prevent injection of malicious scripts and how to safeguard state-changing requests by using unique tokens and same-site request restrictions.

General domain of usage  
Web applications

## Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)


**Cross-Site Scripting (XSS)** is a vulnerability that lets an attacker inject malicious scripts into web pages viewed by others. These scripts usually run in the victim's browser and can steal data, hijack sessions, or deface websites.

#### How XSS Works
- A website displays user input without proper filtering;
- An attacker submits a script as input (for example, in a comment or search box);
- The website shows the script as part of the page;
- The victim's browser runs the attacker's script as if it was safe code.

#### Example
You enter your name in a profile form. An attacker instead enters:

```<script>alert('XSS');</script>```

If the site does not filter this input, anyone viewing the profile page will see a popup. Attackers can use this trick to steal cookies or redirect users.

#### Penetration Testing for XSS
- Test user input fields by entering harmless scripts like `"<script>alert('test');</script>"`;
- Check if the script runs in the browser or is shown as plain text;
- Report any field that executes your script.

#### Basic XSS Mitigation
- Escape or remove special characters from user input (such as `<`, `>`, `"`, `'`);
- Use frameworks that auto-escape output;
- Set the `Content-Security-Policy` HTTP header to block unsafe scripts.


### What is Cross-Site Request Forgery (CSRF)?

**Cross-Site Request Forgery (CSRF)** tricks a user into performing actions on a website without their consent. Attackers use the victim's browser to send requests (like changing a password) while the victim is logged in.

#### How CSRF Works
- You log in to a banking site and keep the session open;
- An attacker sends you a link or image that secretly submits a transaction request to your bank;
- Your browser includes your session cookie, so the bank thinks you made the request.

#### Example
A hidden form on a malicious website:

```html
<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit">
</form>
<script>document.forms[0].submit();</script>
```

If you are logged in to your bank, visiting this page could transfer money without your approval.

#### Penetration Testing for CSRF
- Look for sensitive actions that do not require extra verification (like a password or token);
- Try to perform these actions using scripts or forms from another site;
- If the action succeeds without user input, the site may be vulnerable.

#### Basic CSRF Mitigation
- Use unique CSRF tokens in forms and verify them on the server;
- Require re-authentication for critical actions;
- Set cookies with the `SameSite` attribute to restrict cross-site requests.

Understanding XSS and CSRF is key to finding and fixing web application vulnerabilities. Always test input fields and sensitive actions, and recommend strong validation and token-based protections to keep users safe.

Which statements correctly describe XSS and CSRF vulnerabilities

A hands-on course guiding learners through the essentials of web application and API penetration testing, from foundational concepts to exploitation techniques and professional reporting. Includes real-world scenarios, practical tasks, and review questions to reinforce learning.

Covers the foundational knowledge required for web application and API penetration testing, including methodologies, ethics, and reconnaissance.

Focuses on identifying and exploiting common vulnerabilities in web applications and APIs through practical, hands-on tasks.

Covers the process of documenting findings, creating professional reports, and recommending remediation steps.