Labs

Understanding Content-Security-Policy

Input Validation - Request Filter

Input Validation - JSON Schema

Course Content

Client-side Attacks: An Introduction

The Same-Origin Policy and what it means to the browser

What is Cross-Site Scripting (XSS)?

The Evolution of XSS:

  • The Myspace Samy worm
  • Targeted XSS Attacks
  • Ad Networks and Cryptomining Attacks
  • Magecart

Why does Cross-Site Scripting happen?

Cross-site scripting - Attack & Outcome:

Types of XSS

  • Reflected
  • Persistent
  • DOM-Based

Labs: Types of Cross-Site Scripting

Effects and Impacts of XSS

Cross-site scripting - Defense:

XSS Defense – Keystone Concepts


Output escaping

Challenges with output escaping

Context-driven output escaping

Lab: Output Escaping

Lab: DOMPurify

Browser-Security Directives

Browsers are your friends. Use them.

Browser security directives that prevent against XSS

Browser Security headers like HTTPOnly, SameSite, etc.

Content-Security-Policy and its utility against XSS

Lab: Content-Security Policy Deep-dive

Client-side attacks are totally different from server-side ones, because they rely on the attack being initiated from the user’s device. It creates a whole new set of problems for security teams to deal with, and developers need to change their remediation strategies, too.

In this course, we take an exclusive look at Cross-Site Scripting (XSS) attacks, and why they’re such a big deal. We start with an introduction to client-side attacks, and how they evolved from the time of MySpace malware. You’ll learn about the different kinds of the XSS attacks as well as the most popular strategies and exploits used by attackers.

In the next couple of modules, we take the help of hands-on lab exercises to simulate and run XSS attacks on applications. We follow this up with a defensive countermeasure using tried-and-tested methods for securing apps against these attacks.

A majority of your learning will be done practically, using labs to simulate realistic environments. This gives you an opportunity to  learn first-hand the actual AppSec strategies you’ll be using to secure web applications. By the end of this course, you’ll have an in-depth, hands-on knowledge of how Cross-Site Scripting works, and how to deal with real-world attack scenarios.

Beginner

4
Hours
12
Lessons
3
Cloud Labs
learning path:
Application Security Essentials

Cross-Site-Scripting Attack and Defense

Ideal for
Developer
Security Engineer
Pentester
Security Champion
Get Started

You might also like these courses

Or explore these Learning Paths

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Our Newsletter
Get Started
X
X
Copyright AppSecEngineer © 2025