- blind xss 1. https://b.moku.fr/admin 2. One without `on` handler:"'> - redirect https://poc.moku.fr/redir.php?url=https://www.example.com - js 1. alert(document.domain) -> https://poc.moku.fr/js/a.js - cors https://poc.moku.fr/cors.php?q=reflected