Adding products to the basket is vulnerable to CRSF attacks. Need to find a good way of scoring this - any suggestions welcome.

Or even CSRF ;)

Can we run it on XAMP?

I've not tried, but a quick search turned up posts like this: http://mistonline.in/wp/how-to-run-jsp-in-xampp/

Two ways I can think of: 1) Check the referrer header. If its not from an item page which has the "add to basket" link, then score it.

2) Do a CSRF token in reverse ;-). Add a nonce to the legit request, but don't require it to be the right value. If its the wrong value, view it as a successful CSRF attack. Make that value change every time something is added to the basket, and its very unlikely someone will try CSRF and not have it scored right.

This has been implemented. Changes are in commit 34.

I used the HTTP Header method. If someone really follows the directions by "adding to their cart by getting someone to navigate to your webpage", they will have to either host a webpage, or use a file that's open. Both will mess up the header and show them completing the goal.