This scenario will allow you to create a very basic application that will accept input from a user and return it in the HTML code of another page. This should indicate to you that it's likely to be a cross-site scripting (XSS) attack. I'm going to give you some very boring-looking code, and you can dress it up later if you wish.
A section on attacks against users and social engineering wouldn't be complete without even a brief mention of XSS—that most basic and pervasive of attacks. The merest mention of vulnerability to this attack used to make information security officers sweat; now they barely nod. It is accepted that one of the first things that a hacker or computer deviant learns is how to perform XSS. For those that don't know, XSS is the act of forcing JavaScript into the HTML of a web page and using it to perform actions. It can be used to deface websites and generally cause mischief and upset; however, its most widespread use is to steal unprotected...
Chapter 4. Social Engineering
As patching becomes more routine and secure coding practices are adopted more, the chances of getting 1337H4XX are reducing significantly. However, as we all know, there's no patch for stupidity or admin oversight. Social engineering will always be a relevant skill; it's telling that most companies don't test for it because they know that there's nothing that can be done. For the time being anyway, the singularity is always around the next corner and I, for one, welcome our new robot overlords.
The ability to convince other people to do something on your behalf is not to be sniffed at. It's also pretty difficult to practice. I'd love to give you a method of conning people into doing things in a controlled environment, but it's pretty difficult to do. Once a person is aware of the potential for them to be socially engineered, they act differently and it defeats the point of the test. You may argue that security personnel, who are usually the people we want to...