First, let's explore the problem. We'll start both the vulnerable and adversarial servers.

If on the command line, we are in the directory directly above the app and attacker we can start each server by referencing the folder:

$ node app/ 

And in another terminal window:

$ node attacker/ 

Now let's set up some local domains to proxy to our two servers, using devurl (which we installed in the Getting ready section).

In a third terminal window, we run the following:

$ devurl app.local http://localhost:3000 

And in yet another terminal window, we run the following:

$ devurl attacker.local http://localhost:3001

Next let's navigate our browser to http://app.local, and log in with the username dave and password ncb, this should ...