From 643eb6402237f10ecdf0364728319410f9938c5c Mon Sep 17 00:00:00 2001
From: henopied <henopied@users.noreply.github.com>
Date: Sat, 21 Sep 2024 21:52:00 -0500
Subject: [PATCH] onload

---
 fallctf-2024/src/web/web.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fallctf-2024/src/web/web.md b/fallctf-2024/src/web/web.md
index d476e42..7a1be2e 100644
--- a/fallctf-2024/src/web/web.md
+++ b/fallctf-2024/src/web/web.md
@@ -144,3 +144,13 @@ If I had set `USER INPUT` to `<script>alert("Hello!")</script>`, then the websit
 ```
 
 More details on XSS: https://portswigger.net/web-security/cross-site-scripting
+
+A useful resource for receiving requests is [webhook.site](https://webhook.site/). For example, if you need to extract some data from a website, you can have your XSS payload send a request to your webhook.site URL with the data you need.
+
+Be careful when exfiltrating data to make sure the data on the page you are trying to extract is actually loaded.
+
+```js
+window.addEventListener('load', () => {
+    // ... your code here
+});
+```
\ No newline at end of file