Workshop at St Francis Xavier Secondary School

On April 14th 2026, a Hack for a Change ambassador ran a cybersecurity workshop at St. Francis Xavier Secondary School in front of about 40 students. The topic: web exploitation techniques, why they matter, and what students can do to protect their own projects from the exact vulnerabilities they were about to exploit. The session focused on some of the most common and consequential weaknesses in web applications. Students learned how attackers identify and take advantage of vulnerabilities in websites, and more importantly, how developers can build with security in mind from the start. For students who are learning to build their own websites and applications, this is not abstract knowledge. These are the mistakes that real developers make, and understanding them early is the difference between shipping something secure and shipping something that gets compromised. The highlight of the session was hands-on. Students were given access to a purposefully vulnerable website instance and challenged to perform a Cross-Site Scripting attack, one of the most widely exploited web vulnerabilities in existence. XSS attacks work by injecting malicious scripts into a web page that other users then unknowingly execute, and they remain a top security risk precisely because they are so easy to get wrong as a developer. The room shifted the moment the challenge went live. What started as a workshop became a race. Students competed to be the first to successfully execute the XSS attack on the vulnerable instance, and they pulled it off. Forty students who walked in with no hands-on hacking experience walked out having successfully exploited a real vulnerability in a legal, controlled environment. That is exactly what Hack for a Change is built to do. There is a version of cybersecurity education that stays entirely theoretical. You learn what an XSS attack is, you read about why it is dangerous, and you move on. That version does not stick. The moment a student actually injects a script into a live page and sees it execute, the concept becomes real in a way no slide deck can replicate. They also understand, immediately and viscerally, why sanitizing user input matters when they go to build their own projects. St. Francis Xavier is one of a growing number of schools where Hack for a Change ambassadors are bringing this kind of practical, hands-on cybersecurity education directly into classrooms. No corporate budget required. Just a student who knows the material and a room willing to learn. If you want to bring a workshop like this to your school, visit us at www.hackforachange.org or follow us at @hackforachange on Instagram.