Explore HTML context in cross-site scripting by injecting simple HTML, tracking where it lands, and examining cookie security, including http only flags that limit JavaScript access.

Explore how JavaScript context in the dom reveals cross-site scripting opportunities by injecting code that triggers alerts, illustrating dom xss and the importance of secure scripting.

Learn reflected cross-site scripting, how unsanitized inputs reflect in responses, and how to test with black-box, gray-box methods, filter evasion, and context-specific payloads.

Stored cross-site scripting stores malicious input in the database and reflects it to users, often in admin areas, with filter evasion and tools like beef and xss hunter.

Learn advanced XSS filter evasion techniques, including encoding tricks, null bytes, case manipulation, and event handlers, to bypass web app filters during testing.

Explore vb xss and unsanitised input risks. See an MVC example with a broken image tag triggering scripts, and learn defenses and encoding across the view and controller.

Examine how filters block script alerts in xss tests and illustrate bypass techniques using image source with error and alert, then switch to a confirm payload to bypass the block.

Convert input to lowercase to reveal script patterns such as script and alert, demonstrating how to detect them and block malicious content.

Explore how the less than sign, semicolon, and image tag enable XSS by manipulating a broken image source and triggering an alert via the error attribute.

In this lab, block parentheses to prevent script input, show how encoded entities can trigger an alert, and demonstrate practical techniques for mitigating XSS.

Explore cross-site scripting; script and alert are filtered out, while a prompt leads to cross-site scripting again.

Demonstrate cross-site scripting in the HTML attribute context by manipulating an input value, escaping quotes, and breaking out with a single quote to inject a script alert.

See how a sturdy filter blocks script, alert, and confirm, and how an attack vector can trigger a prompt, prompting developers to stop using confirm alerts and scripts.

Explain how uppercase character filtering reshapes xss attack vectors, noting that uppercase-based exploits no longer work, and that some previous vectors may still apply only because uppercase vectors were disabled.

Demonstrate how swapping single and double quotes in HTML attribute values enables xss testing, and how onerror prompts reveal vulnerabilities.

The lecture demonstrates replacing greater-than and less-than signs in input, showing all such signs get replaced and that the less-than sign must be replaced as well.

Explore advanced cross-site scripting techniques, including AngularJS sandbox bypasses, CSP concepts and bypass methods, dangling markup injections, and XSS chaining to increase exploit impact during hunting.