A somewhat curated list of links to various topics in application security.

Cross-Site Scripting (XSS)

XSS Cheat Sheet

Open-redirect to Account Takeover.

Samesite by Default and What It Means for Bug Bounty Hunters

Get Reflected XSS within 3 minutes

Cross-Site Script Inclusion

TR | Steal CSRF Tokens with simple XSS

Testing for XSS (Like a KNOXSS)

CORS Enabled XSS

XSS in GMail’s AMP4Email via DOM Clobbering

Cross-site scripting

Cross-site scripting



The misunderstood X-XSS-Protection

Winning Intigriti's XSS Challenge

File Upload XSS


Making XSS a bit more discoverable with KNOXSS

Show me thy XSS abilities, polyglot!

Cross Site Scripting (XSS) Payload Generator

Advanced Blind XSS Payloads

XSSed my way to 1000$

XSS in hidden input fields

Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 1

Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 3

A comprehensive tutorial on cross-site scripting



DOM-based XSS – The 3 Sinks



XSS Payloads

The Real Impact of Cross-Site Scripting

Cross site scripting XSS

Cross Site Scripting ( XSS)

XSS Cheat Sheet

Google Assistant Bug Worth $3133.7 !

Hands On training | Google XSS Game

666 lines of XSS vectors, suitable for attacking an API

Reflected Client XSS at

Reflected XSS on Stack Overflow

How to identify whether XSS is reflected or DOM based?


Reflected XSS via AngularJS Template Injection | Hostinger

How I Found Stored XSS in Yahoo!

What is XSS? Cross-site Scripting Explained

Self-XSS + CSRF to Stored XSS

The story behined the Strong XSS filter bypass!

Demonstrating Reflected versus DOM Based XSS

How i converted SSRF TO XSS in jira.

Respect XSS

How I found a stored XSS on thousands of webshops

Compromising CMSes with XSS

XSS using meta Tags – Muhammad Ibraheem – Medium

DEV XSS Protection bypass made my quickest bounty ever!!

How I found an XSS vulnerability within the response field?


XSS Challenge I


Calling Remote Script With Event Handlers

The 7 Main XSS Cases Everyone Should Know

Blind XSS for beginners


Blind XSS for beginners

File Upload XSS

900$ XSS in yahoo ( Recon Wins )

7500$ worth DOM XSS in Facebook Mobile Site – Johns Simon – Medium

XSS (Cross Site Scripting) Prevention Cheat Sheet

Steal CSRF/Auth/Unique key Header with XSS

Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss)

Stealing HttpOnly Cookie via XSS

Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing

How To: Write an XSS Cookie Stealer in JavaScript to Steal Passwords

Sniping Insecure Cookies with XSS

bypassing htmlentities()

Taking note: XSS to RCE in the Simplenote Electron client

XSStrike - Detect and exploit XSS vulnerabilites

XSS (Cross Site Scripting) Prevention Cheat Sheet

Rails Quiz: XSS Edition

XSSer – Automated Framework Tool to Detect and Exploit XSS vulnerabilities


XSSight – Automated XSS Scanner And Payload Injector

HTML5 Security CheatsheetWhat your browser does when you look away...

Cross Site Scripting Payloads ≈ Packet Storm

Collection of Cross-Site Scripting (XSS) Payloads

How I Stole Plunker Session Tokens with an Angular Expression

XSS without HTML: Client-Side Template Injection with AngularJS

Angular Template Injection Payloads

Adapting AngularJS Payloads to Exploit Real World Applications


XSS without HTML: Client-Side Template Injection with AngularJS

ng-owasp: OWASP Top 10 for AngularJS Applications


Bypass XSS blacklist “<”, “>”, “&” input nvarchar

Accurate XSS Detection with BurpSuite and PhantomJS

Stealing passwords from McDonald's users

Using Javascript in CSS

Cross Site Scripting without special chars

Uber Bug Bounty: Turning Self-XSS into Good-XSS

Cross-site Scripting (XSS) Attack

The XSS Sandbox

Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML