The attribute innerText is usually thought to be safe, but as described in the DOM based XSS Prevention Cheat Sheet, this is not always the case (for instance when using a <script>-tag. It's better therefore to use the attribute textContent.

In addition, textContent is more performant.

Workshop participants can choose to hunt for flags during the workshop. To make hunting flags more exiting, and foster a competitive atmosphere, we should add a solution for tracking the flag hunt progress.

The solution should be able to:

• Validate the flags found by a workshop participant.
• Give the workshop participant an overview of the flags they found, and which flags remain to be found.
• Present a leader-board that tracks the top participants, suitable for showing on a big screen as the workshop progresses.

Use of the flag hunt tracking application should be introduced as a part of the workshop documentation.

Currently, Notes.Client just glosses API-request failures. This makes Sticky Notes unnecessarily hard to use, and is sometimes confusing to the point of hindering the workshop. A simple solution would be to add some alerts when something fails, or something similar.

Part 3, Cross Site Scripting (XSS), is missing a flag for the workshop participants to find. It would be neat if this was added.

The flag should be retrievable by using XSS, so one would need to create a bot that regularly accesses the site as another user, and triggers an action that can be exploited using XSS. One option is to have this user store the flag in local storage, or as a global JavaScript variable.

In addition, one would need to create a new XSS vulnerability in the Sticky Notes solution. One option would be to let the application logo image URL be configured from an URL in the database. If this is changed, then one should be able to perform an XSS attack using the img-tag.

During the workshop, the participants work on a separate instance of the application when hunting for flags. Previously, this instance has been hosted locally by the workshop host by using ngrok. It would make it easier to host the workshop if the challenge instance was hosted online somewhere.

If hosted online, then build and deploy automation should be set up, so a push to master triggers a new build and deploy. The build should inject the flags as secret configuration values. In addition, the database should be recreated from some dump-file, so that the state of the application is reset every time a new version is deployed.

GitHub Actions are suggested as a tool for setting up build and deploy.

The documentation could probably need a brush-up. A couple of issues was noted when running the workshop for the first time:

• Some participants was confused about when to use the online challenge instance of the Sticky Notes to hunt for flags. Instead they ended up looking for fags in their local instance of Sticky Notes. This could probably be improved if the introduction was a bit more thorough.
• The introduction to each vulnerability is a bit short. It should be improved to give participants a better understanding of the vulnerability in general, before they start performing an exploit in the fault section.
• It would be beneficial if someone other than the original author goes through the workshop, and updates the documentation where it's confusing, or otherwise lacking.

Currently, the workshop covers 5 common security vulnerabilities:

1. Sensitive data exposure
2. Broken access control
3. Cross site scripting (XSS)
4. SQL injection
5. Insecure deserialization

Ideally, this should be expanded to cover more vulnerabilities, and/or show other exploits of the most common vulnerabilities. One option is to try to cover more of the vulnerabilities in OWASP top 10, but interesting twists on the vulnerabilities already covered, or vulnerabilities outside the top 10 is also interesting.

Does anyone have any ideas to new sections that could be added? How should the vulnerability be structured as a "Fault", "Fix" and "Flag"?