Skip to content

Client-Side Vulnerabilities

Attacks executed in the victim's browser: XSS, DOM manipulation, and browser-based exploitation.

  • XSS

    Execute JavaScript in victim's browser. Steal sessions, deface, pivot.

    XSS Guide

  • CSRF

    Force authenticated actions. State-changing requests without consent.

    CSRF Guide

  • Clickjacking

    UI redressing. Trick users into clicking hidden elements.

    Clickjacking

  • postMessage

    Cross-origin messaging vulnerabilities. Origin bypass, data theft.

    postMessage

  • Prototype Pollution

    Pollute Object.prototype. Gadgets to XSS/RCE.

    Prototype Pollution

  • DOM Clobbering

    Override DOM properties with HTML. Break security checks.

    DOM Clobbering

Quick Tests

Vuln Test Where
XSS <img src=x onerror=alert(1)> Any input reflected
CSRF Remove/modify CSRF token State-changing forms
Clickjacking X-Frame-Options missing Sensitive pages
postMessage postMessage('test','*') Cross-origin frames

Entry Points

  • Reflected params: URL params rendered in page
  • Stored inputs: Comments, profiles, messages
  • DOM sinks: innerHTML, eval(), document.write()
  • Event handlers: onclick, onerror, onload
  • URL fragments: location.hash processing