Reflected XSS lab
Inject <script>alert(1)</script> or event handlers into URL parameters. See immediate reflection. Bypass basic filters with alternate tags and encoding.
Stored XSS lab
Post malicious comment. Reload page — script executes for all users. Higher severity simulation.
DOM XSS lab
Manipulate location.hash or postMessage flows. Source and sink analysis in browser DevTools.
Defense takeaway
After exploiting, note fix: HTML encoding on output, CSP headers, sanitization libraries.