Security practice

Web Security

XSS, CSRF, SSRF, CSP — the web attacker's playbook.

← Back to all areas

200 XP
XSS Variants
Reflected, stored, DOM — same bug, three delivery modes.
•
200 XP
CSRF & SameSite
Forged requests, anti-CSRF tokens, SameSite cookies.
•
250 XP
SSRF
Server-side request forgery — IMDS, internal scans, allowlists, and the TOCTOU trap.
•
250 XP
CORS Deep
Same-origin policy, preflights, credentials, and the wildcard-vs-specific tension.
•
250 XP
CSP In Depth
Nonces vs hashes, the unsafe-inline trap, Trusted Types.
•
200 XP
Clickjacking
UI redress, X-Frame-Options vs frame-ancestors, and why frame-busting JS fails.
•
250 XP
Auth Bypass
IDOR, JWT confusion, open redirects, mass assignment — the broken-access-control class.
•
250 XP
Prototype Pollution
JS-specific Object.prototype mutation. lodash/jQuery/express. Object.create(null) defense.
•
200 XP
Dependency Vulnerabilities
Package CVE management. Lockfile hygiene. Dependabot vs Renovate. Patch fatigue.
•