Contents
Web Security
20 January 2026
XSS
Cross Site Scripting
- Should use innerText instead of innerHTML
Video
Video
React2shell
The vulnerability lies in the Flight Protocol of React Server Components (RSC)
CSRF
Cross-Site Request Forgery
Other site making request to your site
a:3000 and a:3001 are considered different origins according to Cross-Origin Resource Sharing (CORS) rules. This mean you can't make request but CORS not prevent people from submiting form from other URLs
Beside of sessionId, create csrfToken, store in use browser then send it via body everytime user make request to the server
Video
Make with
by Nguyen Huu Dat
© 2025