Intermediate Track2.5 hours
XSS & CSRF Attacks
3 guided sections and curated resources to get you contest-ready.
Lesson Playbook
3 sections1
XSS Types
XSS is JavaScript execution in a victim browser under the target origin.
Types:
- reflected
- stored
- DOM-based
2
Context First
Identify where input lands (HTML, attribute, JS string) before choosing a payload.
<!-- HTML context -->
<img src=x onerror=alert(1)>
<!-- Attribute context -->
" autofocus onfocus=alert(1) x="3
CSRF
CSRF relies on browsers automatically attaching cookies.
Defenses to recognize:
- CSRF tokens
- SameSite cookies
- Origin/Referer checks