Cross Site Scripting (XSS) is one of the OWASP top 10 web application vulnerabilities. Although Cross Site Request Forgery (CSRF) attack has decreased (reference: OWASP 2017 ), it is one of the attack that is prominent for web applications. I recently came across an online lab Gruyere , which allows you to test and play around with XSS and CSRF attacks. The site provides various hints in order for you to try out the attack and then provides a description of the exploit. A basic understanding of how web pages function will definitely come in handy. As an open source project, you can also download the source code for the entire lab and learn even more.
Hope you find this lab helpful and learn more about these web application attacks.