onload

fallctf-2024/src/web/web.md

@@ -144,3 +144,13 @@ If I had set `USER INPUT` to `<script>alert("Hello!")</script>`, then the websit
 ```
 
 More details on XSS: https://portswigger.net/web-security/cross-site-scripting
+
+A useful resource for receiving requests is [webhook.site](https://webhook.site/). For example, if you need to extract some data from a website, you can have your XSS payload send a request to your webhook.site URL with the data you need.
+
+Be careful when exfiltrating data to make sure the data on the page you are trying to extract is actually loaded.
+
+```js
+window.addEventListener('load', () => {
+    // ... your code here
+});
+```