Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnCross Site Scripting
Course

Cross Site Scripting

From reflected alert() to full account takeover. Understand how unescaped user input turns the browser into an execution host.

12 lessons171 min total

Curriculum

12 parts in 5 phases
Foundation3 lessons · 32 min
fundLesson 1Beginner

XSS: The Browser is the Database

Cross-Site Scripting turns the browser into an execution host. One unescaped string and the attacker runs JavaScript in your user session.

XSSOWASPWeb
12 min
fundLesson 2Beginner

Reflected XSS

The most common XSS variant. A search box, an error page, a URL parameter — any input echoed back without escaping becomes a script execution point.

XSSReflectedWeb
10 min
fundLesson 3Beginner

Stored XSS

The attacker plants a payload in the database. Every visitor who loads the affected page executes it — comments, reviews, profiles are the classic delivery channels.

XSSStoredPersistent
10 min
Offense · Core techniques3 lessons · 40 min
coreLesson 4Intermediate

DOM-based XSS

No server involved — the payload never leaves the browser. innerHTML, document.write, eval on a URL fragment — the client-side sink is the only boundary.

XSSDOMClient-side
12 min
coreLesson 6Intermediate

XSS Payload Techniques

Polyglots, mXSS, scriptless XSS. The payloads that work across filters, encoders, and sanitizers — and how to recognise them by structure, not by alert().

XSSVectorsPolyglot
14 min
coreLesson 7Advanced

Blind XSS

The payload that fires later, in a different browser, inside an admin panel the attacker never sees. Blind XSS hunters, callback exfiltration, and how to weaponise a back-office injection.

XSSBlindCallback
14 min
Offense · Deep extraction2 lessons · 31 min
deepLesson 8Advanced

Context-Based XSS Escapes

HTML entity context, JS string context, URL context, CSS context. Each context demands a different escape sequence — the attacker finds one; the defender must close all of them.

XSSContextEscaping
15 min
deepLesson 9Advanced

CSP Bypass Techniques

Content Security Policy is the strongest client-side defence — until it isnt. JSONP endpoints, CDN-script-based bypasses, nonce reuse, and dangling markup injection.

XSSCSPBypass
16 min
Discovery & Defense2 lessons · 28 min
defLesson 5Intermediate

XSS Defense

CSP, context-aware escaping, sanitisation libraries, and the review checklist that catches what scanners miss. How to ship HTML that cannot execute attacker code.

XSSDefenseCSP
14 min
defLesson 10Advanced

XSS Detection & Auditing

Automated scanners, manual DOM auditing, browser extension analysis, and the CI pipeline that catches XSS before it ships. The defender toolkit beyond CSP.

XSSDetectionScanner
14 min
Real-world & Review2 lessons · 40 min
capsLesson 11Intermediate

XSS Case Studies

Samy (MySpace 2005) — the first XSS worm. Twitter onmouseover (2010). eBay DOM XSS (2014). British Airways/Magecart (2018). The payloads, the root causes, the post-mortems.

XSSHistoryBreaches
18 min
capsLesson 12Intermediate

XSS Review & Practice

A curated set of progressively harder XSS challenges against fresh endpoints. Reflected, stored, DOM, blind — no hand-holding. The XSS course final.

XSSReviewPractice
22 min

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy