Computer Science Grade 6 20 min

Web Security: Cross-Site Scripting (XSS) and SQL Injection

Explore web security vulnerabilities like cross-site scripting (XSS) and SQL injection, and learn how to prevent them in web applications.

Tutorial Preview

1

Introduction & Learning Objectives

Learning Objectives Define what a website vulnerability is using a simple analogy. Explain Cross-Site Scripting (XSS) and how it affects a user's browser. Explain SQL Injection and how it affects a website's database. Identify a simple example of a malicious script hidden in user input. Describe why it's important for websites to not trust user input. Differentiate between an XSS attack and an SQL Injection attack based on what they target. Explain 'input sanitization' as a basic defense mechanism. Ever left a comment on a website or in a video game? What if your comment could secretly take over the page for everyone else who reads it? 🦹‍♂️ Websites are like houses; some have secret weak spots or unlocked doors that bad guys can use to sneak in....
2

Key Concepts & Vocabulary

TermDefinitionExample VulnerabilityA weakness or a secret backdoor in a website's code that a hacker can use to do bad things.A lock on a door that can be opened with a paperclip is a vulnerability. On a website, a comment box that doesn't check for bad code is a vulnerability. User InputAny information a person types into a website.Your username when you log in, a comment you post on a video, or what you type into a search bar. Cross-Site Scripting (XSS)A trick where a hacker hides a secret script in their user input (like a comment). When someone else views the page, the secret script runs in their browser, and can be used to steal information.A hacker posts a comment that looks normal, but secretly contains code to steal login information from anyone who reads the comment. SQ...
3

Core Syntax & Patterns

The 'Never Trust User Input' Rule Always assume any text from a user could be a secret attack. When building a website, you must check and clean everything a user types in. Treat all input like it's a potential trick until you've proven it's safe by sanitizing it. The 'Separate Data from Commands' Rule Keep the user's information (data) separate from the computer's instructions (commands). This is the main idea behind stopping both XSS and SQL Injection. Don't let a user's comment become a command for the web browser (XSS), and don't let their login attempt become a command for the database (SQLi).

4 more steps in this tutorial

Sign up free to access the complete tutorial with worked examples and practice.

Sign Up Free to Continue

Sample Practice Questions

Challenging
A new social media site is built by a developer who forgets to sanitize user input on both the user profile 'About Me' section and the login page. What is the most likely outcome?
A.The website will be safe, because modern browsers block these attacks automatically.
B.The site will be vulnerable to both XSS (on profiles) and SQL Injection (on the login page).
C.The site will only be vulnerable to XSS, because SQL Injection is very rare.
D.The site will only be vulnerable to SQL Injection, because profile pages can't be hacked.
Challenging
A website developer wants to allow users to post comments with bold text (using `<b>` tags) but wants to prevent XSS attacks (using `<script>` tags). What is the BEST approach to sanitizing the input?
A.Block all text that contains the letter 's' to prevent 'script'.
B.Remove all text that is typed between '<' and '>' characters.
C.Trust the users not to post malicious scripts.
D.Specifically remove dangerous tags like `<script>` but allow safe tags like `<b>`.
Challenging
A school website's homepage suddenly starts showing a pop-up message to every visitor. The pop-up seems to come from a 'Student of the Week' feature that is updated daily. What is the most likely vulnerability and the best first step to fix it?
A.An XSS vulnerability in the 'Student of the Week' input field; the first step is to check and sanitize the text being displayed there.
B.An SQL Injection vulnerability in the login form; the first step is to reset all user passwords.
C.The website's server has a virus; the first step is to restart the server.
D.user has a weak password; the first step is to make password rules stronger.

Want to practice and check your answers?

Sign up to access all questions with instant feedback, explanations, and progress tracking.

Start Practicing Free

More from Cybersecurity: Principles, Threats, and Defense Mechanisms

Introduction to Cybersecurity: Concepts and Principles Common Cybersecurity Threats: Malware, Phishing, and Social Engineering Network Security: Firewalls, Intrusion Detection Systems (IDS), and VPNs Cryptography: Encryption and Hashing Authentication and Authorization: Access Control Mechanisms

Ready to find your learning gaps?

Take a free diagnostic test and get a personalized learning plan in minutes.

Free Diagnostic Test Sign Up Free