Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS occurs when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.
XSS remains one of the most prevalent web vulnerabilities, appearing in everything from search bars to user profile fields. The three main variants — Reflected, Stored, and DOM-based — each have distinct attack surfaces. Reflected XSS executes via a crafted URL, Stored XSS persists in the application's database and fires for every visitor, and DOM-based XSS exploits client-side JavaScript that unsafely handles user input without any server round-trip.
The impact of XSS extends well beyond simple alert boxes. Attackers leverage it for session hijacking, credential theft, keylogging, phishing overlays, and as a pivot point for deeper exploitation. In bug bounty programs, Stored XSS on authenticated pages consistently pays well because it can be chained into account takeover.
Modern defenses include Content Security Policy (CSP), output encoding, and frameworks that auto-escape by default — but bypasses are discovered regularly, making XSS a constantly evolving attack surface.
This page collects research, bypass techniques, payloads, and real-world writeups covering all forms of cross-site scripting.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-19 NEW 2026 | Microsoft Exchange Zero-Day Under Attack No Patch Available news | Microsoft Exchange Zero-Day Under Attack, No Patch Available https://ift.tt/HM5e6fY → darkreading.com |
| 2026-05-18 NEW 2026 | Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks news | Writeup detailing CVE-2026-42897, a critical spoofing vulnerability in Microsoft Exchange Server exploited in the wild, impacting on-premises Outlook Web Access. Threat actors leverage this network-based flaw, characterized by improper input neutralization, to execute arbitrary JavaScript by sending specially crafted emails. This affects Exchange Server 2016, 2019, and Subscription Edition, enabling network-level spoofing and session hijacking. Temporary mitigations, including the Exchange Emergency Mitigation Service or manual tool execution, are advised despite minor functional side effects like calendar printing issues and inline image display problems, pending a permanent patch. → cybersecuritynews.com |
| 2026-05-17 NEW 2026 | Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) news | Microsoft Exchange Server is vulnerable to exploitation due to an unpatched security flaw, identified as CVE-2026-42897. Attackers can leverage this vulnerability, impacting systems that have not been updated. This poses a significant risk to organizations using Microsoft Exchange Server. Further details on the exploitation and its potential impact can be found via the provided link. → helpnetsecurity.com |
| 2026-05-15 NEW 2026 | Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks news | Two critical vulnerabilities have been discovered in GitLab, allowing attackers to perform Cross-Site Scripting (XSS) attacks and unauthenticated Denial-of-Service (DoS) attacks. These flaws could lead to sensitive data exposure and service disruption. Users are strongly advised to update their GitLab instances to the latest versions to mitigate these risks. The specific versions affected and the patches available are detailed in the linked security advisory. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | GitLab Security Flaw Allows Cross-Site Scripting and Unauthenticated DoS news | A critical GitLab security vulnerability has been disclosed, enabling both Cross-Site Scripting (XSS) and unauthenticated Denial-of-Service (DoS) attacks. The flaw potentially allows attackers to execute malicious scripts within a user's browser and disrupt GitLab services without needing to log in. Further details regarding the specific exploit and its impact are available in the provided link. No bug bounty payout amount was stated in the content. → gbhackers.com |
| 2026-05-12 NEW 2026 | Instructure confirms hackers used Canvas flaw to deface portals news | Writeup on ShinyHunters exploiting cross-site scripting (XSS) vulnerabilities in Instructure's Canvas LMS. Attackers used these flaws to gain authenticated admin sessions, deface login portals with extortion messages, and exfiltrate over 3.6 terabytes of data. The attacks targeted the Free-for-Teacher environment, leading to temporary downtime and account closures. → bleepingcomputer.com |
| 2026-05-11 2026 | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities news | Writeup on Cisco Identity Services Engine (ISE) stored cross-site scripting vulnerabilities, CVE-2025-20204 and CVE-2025-20205. These flaws stem from insufficient input validation in the web-based management interface, allowing authenticated attackers to inject malicious script code. Exploitation enables arbitrary script execution within the interface context or access to sensitive browser data, requiring administrative credentials. Cisco has released updates to address these issues. |
| 2026-05-09 2026 | Every Old Vulnerability Is Now an AI Vulnerability beginner | This article argues that as Artificial Intelligence (AI) systems become more integrated, traditional cybersecurity vulnerabilities are now also AI vulnerabilities. Existing exploits and weaknesses in software, hardware, and network infrastructure can be leveraged to target or compromise AI models. This means that the vast landscape of known security flaws presents a significant risk to AI systems, requiring a re-evaluation of security strategies to account for this expanded threat surface. → darkreading.com |
| 2026-05-03 2026 | Jenkins Patches High-Severity Plugin Flaws Including Path Traversal and Stored XSS news | Jenkins Patches High-Severity Plugin Flaws Including Path Traversal and Stored XSS https://ift.tt/GQ1udUD → cybersecuritynews.com |
| 2026-05-03 2026 | 'Chaining vulnerabilities is the hallmark of a sophisticated attack': 750000 websites must be patched as Microsoft's popular open source Dotnetnuke CMS hit by an XSS flaw that allows attackers to hijack admin sessions and take over entire web servers news | Library for securing DotNetNuke CMS, addressing CVE-2026-40321, a cross-site scripting (XSS) flaw. This vulnerability allows attackers to upload malicious SVG files, which, when clicked by an authenticated administrator, execute JavaScript, hijack sessions, and enable arbitrary file writes to the server via the `/API/personaBar/ConfigConsole/UpdateConfigFile` endpoint. This enables the creation of ASPX web shells for full server compromise, impacting over 750,000 websites built on the Microsoft-backed platform. |
| 2026-05-01 2026 | Jenkins Plugin Updates Fix Path Traversal and Stored XSS Bugs news | Library updates for Jenkins address seven vulnerabilities, including critical path traversal (CVE-2026-42520) in the Credentials Binding Plugin, enabling arbitrary file writes and potential RCE. Stored XSS flaws are patched in the GitHub Plugin (CVE-2026-42523) and HTML Publisher Plugin (CVE-2026-42524), allowing script injection. Medium-severity issues like information disclosure via Script Security Plugin (CVE-2026-42519) and unsafe deserialization in Matrix Authorization Strategy Plugin (CVE-2026-42521) are also resolved, alongside unauthorized connection tests in GitHub Branch Source Plugin (CVE-2026-42522) and open redirects in Microsoft Entra ID Plugin (CVE-2026-42525). → gbhackers.com |
| 2026-04-30 2026 | Jenkins Patches High-Severity Plugin Vulnerability Including Path Traversal and Stored XSS news | Library update patches Jenkins plugins for critical vulnerabilities including CVE-2026-42520 (path traversal leading to RCE in Credentials Binding Plugin), CVE-2026-42523 (stored XSS in GitHub Plugin), and CVE-2026-42524 (stored XSS in HTML Publisher Plugin). Patched versions and mitigation strategies are detailed for these high-severity flaws. → cyberpress.org |
| 2026-04-30 2026 | dr34mhacks/XSSNow: Find XSS payloads that actually work by filtering them based on real-world constraints instead of blind payload spraying. intermediate | Library of curated XSS payloads, XSSNow aids researchers and bug bounty hunters by providing context-aware, defense-focused, and real-world tested payloads. It categorizes vulnerabilities by injection context, offers specific collections for WAF bypasses and encoding evasions, and suggests payloads optimized for character limitations and filters. The platform also details CSP bypass techniques and browser quirks, encouraging community contributions to its knowledge base of HTML injection, attribute breaking, JavaScript context, CSS injection, and URL parameter attacks. |
| 2026-04-24 2026 | Over 10000 Zimbra Servers Vulnerable to XSS Attacks news | Over 10,000 Zimbra Servers Vulnerable to XSS Attacks https://ift.tt/UNZfrVk → secnews.gr |
| 2026-04-24 2026 | Over 10000 Zimbra servers vulnerable to ongoing XSS attacks news | Writeup of CVE-2025-48700, an ongoing XSS vulnerability impacting over 10,000 Zimbra Collaboration Suite instances. Exploitable by unauthenticated attackers, this flaw allows arbitrary JavaScript execution, enabling sensitive information access. Patched in June 2025, it has been actively abused in the wild, leading to CISA's inclusion in its Known Exploited Vulnerabilities Catalog and an order for Federal Civilian Executive Branch agencies to secure affected servers. Previous Zimbra vulnerabilities have also been exploited by APT28 and Russian Winter Vivern. → bleepingcomputer.com |
| 2026-04-22 2026 | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform advanced | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform |
| 2026-04-22 2026 | Full Disclosure: DOM-Based XSS And Failures In Bug Bounty Hunting beginner | Writeup detailing a DOM-based XSS vulnerability discovered in a bug bounty hunt, where an insecure `eUrl` parameter on a login page allowed for dynamic resource loading from an attacker-controlled server. This flaw, combined with the absence of the HTTPOnly flag on the `ASPSESSIONID` cookie, enabled a one-click account takeover. The writeup emphasizes the importance of input validation, sanitization, allow-listing, CSP, and proper cookie flag implementation to mitigate such risks. |
| 2026-04-22 2026 | Cross-Site Scripting (XSS) Is Surging: 4 New CVEs This Week news | Writeup of surging Cross-Site Scripting (XSS) vulnerabilities, detailing four new CVEs including CVE-2026-27243 with a CVSS score of 9.3. It highlights the increasing prevalence of XSS in SaaS environments, the limitations of automated scanners, and the need for regular testing of controls like WAFs and EDRs against current attack patterns, referencing n8n webhooks abused for malware delivery. |
| 2026-04-22 2026 | CVE-2025-26244: Stored XSS in DeimosC2 Leading to Privilege Escalation news | Writeup detailing CVE-2025-26244, a stored cross-site scripting vulnerability in CyberOneSecurity's DeimosC2 v1.1.0-Beta. The writeup demonstrates how an attacker can register a malicious agent by reverse-engineering an agent binary to obtain listener details. This allows injection of an XSS payload into the 'graph' endpoint, which executes when a user views the graph. The stolen cookie then enables privilege escalation and unauthorized access to the C2 framework. |
| 2026-04-22 2026 | CVE-2025-25461: SeedDMS Stored XSS news | Writeup of CVE-2025-25461, a Stored XSS vulnerability in SeedDMS 6.0.29. Exploitable by users with "Add Category" permissions, an attacker can inject XSS payloads into category names, leading to execution when documents associated with that category are viewed. Potential impacts include session hijacking, data exfiltration, phishing, and remote code execution. Mitigation involves sanitizing user input, employing CSP, and proper output encoding. |
| 2026-04-22 2026 | Finding DOM Polyglot XSS in PayPal the Easy Way intermediate | Library for discovering DOM-based polyglot XSS vulnerabilities. It details a process utilizing Burp Suite's embedded browser and DOM Invader to identify insecure sinks, specifically on PayPal. The library also demonstrates how to bypass Content Security Policy (CSP) by exploiting unintended script gadgets within the PayPal application, including leveraging older versions of Bootstrap and a custom `youtube.js` gadget to execute JavaScript. → portswigger.net |
| 2026-04-22 2026 | Cisco IOS XE Web Authentication Reflected XSS Advisory news | Cisco IOS XE Web Authentication Reflected XSS Advisory |
| 2026-04-22 2026 | CVE-2025-66412: Angular Stored XSS via SVG Animation and MathML Attributes news | Writeup of CVE-2025-66412, an Angular Stored XSS vulnerability. The Angular Template Compiler's incomplete security schema allows bypassing sanitization for URL-holding attributes and SVG animation elements. Attackers can inject `javascript:` URLs into attributes like `xlink:href` or by manipulating the `attributeName` in SVG animations, leading to arbitrary code execution, session hijacking, and data exfiltration. Patches are available in Angular versions 19.2.17, 20.3.15, and 21.0.2. |
| 2026-04-22 2026 | CVE-2025-0133: PAN-OS Reflected XSS in GlobalProtect Gateway news | Writeup detailing CVE-2025-0133, a reflected XSS vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway and portal. This flaw allows attackers to execute malicious JavaScript in a user's browser via crafted links, primarily posing a risk of phishing and credential theft, especially when Clientless VPN is enabled. Mitigation involves enabling Threat IDs 510003 and 510004 via Threat Prevention content version 8995, applying Vulnerability Protection profiles to security rules, or disabling Clientless VPN. |
| 2026-04-22 2026 | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) advanced | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) → arxiv.org |
| 2026-04-19 2026 | Bypassing Signature-Based XSS Filters: Modifying HTML intermediate | Technique for bypassing signature-based XSS filters by modifying HTML syntax, demonstrating methods to obfuscate payloads. It explores variations in tag casing, insertion of NULL bytes and superfluous characters, use of alternative attribute delimiters like backticks, and HTML encoding within attribute values to evade detection. Examples are provided using DVWA and OWASP's Broken Web Application Project. → portswigger.net |
| 2026-04-19 2026 | Advanced XSS Filter Bypass Methods Using Payload Splitting advanced | Advanced XSS Filter Bypass Methods Using Payload Splitting |
| 2026-04-19 2026 | XSS Payload Bypass Technique: A Practical Guide intermediate | Technique for bypassing XSS filters demonstrates obfuscation using mixed-case and redundant slashes to trigger `onfocus` events. Mitigation strategies include input sanitization with DOMPurify and implementing Content Security Policy (CSP). The article also provides Linux and Windows commands for auditing logs and scanning directories for vulnerable scripts, along with advanced payload encoding via `burp-decoder` or base64. → undercodetesting.com |
| 2026-04-19 2026 | Intigriti July 2025 XSS Challenge — Jorian Woltjer beginner | Library for bypassing XSS filters, leveraging DOM clobbering and Mutation XSS techniques. It demonstrates how to exploit HTML parsing quirks, specifically "foster parenting" within table elements and "node flattening," to manipulate the DOM and override critical elements like `chat-messages`. The library also showcases a method to bypass Content Security Policy (CSP) by exploiting a Socket.IO polling endpoint, reflecting input in a way that allows JavaScript execution. |
| 2026-04-17 2026 | Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow news | Library detailing three XSS vulnerabilities found in Mailcow, including a critical unauthenticated flaw affecting administrator accounts via Autodiscover logs (GHSA-f9xf-vc72-rcgm). Another XSS targets administrators through attachment filenames in the Quarantine feature (GHSA-2xjc-rg88-jvpp), and a Self-XSS in Login History is escalated via Login CSRF (GHSA-jprq-w83q-q62h). All issues have been fixed since version 2026-03b. → aikido.dev |
| 2026-04-16 2026 | Bypassing DOMPurify with Good Old XML advanced | Writeup detailing DOMPurify bypasses found by exploiting parsing inconsistencies between XML and HTML for Processing Instructions (`<?...?>`) and CDATA sections (`<![CDATA[...]]>`). The first bypass leveraged the differing interpretation of Processing Instructions, allowing arbitrary `nodeName` injection. A subsequent bypass exploited how HTML parsers handle CDATA sections outside SVG/MathML, treating them as bogus comments ending with `>` instead of `]]>`. These vulnerabilities were addressed by updates to DOMPurify's node filtering. |
| 2026-04-16 2026 | Exploring the DOMPurify Library: Bypasses and Fixes intermediate | Article detailing bypasses and fixes for the DOMPurify library, exploring how client-side HTML sanitizers work. It highlights vulnerabilities arising from inconsistent HTML parsing, namespace manipulations (e.g., SVG and MathML interactions), and deviations in handling nested element limits. Specific techniques like double parsing, the use of `<form>` element restrictions, and mutations exploiting HTML insertion modes and the stack of open elements are discussed, referencing bypasses like the one found in DOMPurify versions <= 3.1.0 by @IcesFont. |
| 2026-04-16 2026 | Content Security Policy Bypass Techniques Collection intermediate | Collection of Content Security Policy (CSP) bypass techniques detailing directives like `script-src`, `default-src`, and `frame-ancestors`, and sources such as `'self'`, `'unsafe-inline'`, and `'unsafe-eval'`. This resource analyzes how CSP mitigates content injection like XSS, yet remains vulnerable to bypasses when misconfigured, highlighting the importance of thorough policy evaluation using tools like CSP Evaluator and CSP Validator. It provides practical examples of exploitable CSP configurations leading to script execution. |
| 2026-04-16 2026 | CSPBypass: Tool to Bypass Content Security Policies intermediate | Tool for bypassing Content Security Policies (CSP) to exploit XSS vulnerabilities, CSPBypass helps ethical hackers find existing bypass gadgets or contribute new ones. It identifies CSP loopholes, often leveraging JSONP endpoints or JavaScript libraries on whitelisted domains, to execute JavaScript despite restrictive policies. The project encourages community contributions of new bypass techniques, with a dataset curated from Common Crawl for identifying commonly whitelisted domains. |
| 2026-04-16 2026 | PayloadsAllTheThings: XSS Injection Cheat Sheet beginner | Cheatsheet of XSS injection techniques and payloads, covering methodology, proof of concept examples, and common injection vectors like HTML wrappers, PostMessage, blind XSS, and mutated XSS. It details payload strategies for capturing sensitive data such as cookies and access tokens, crafting fake login forms, keylogging, and exploiting DOM-based vulnerabilities. The resource also highlights effective payloads for modern applications, including sandbox domain contexts, and lists tools like XSSStrike, xsser, Dalfox, and XSpear for blind XSS detection. |
| 2026-04-16 2026 | Advanced XSS Exploitation: Bypassing CSP and DOM Sanitization advanced | Advanced XSS Exploitation: Bypassing CSP and DOM Sanitization |
| 2026-04-16 2026 | CVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep Dive advanced | CVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep Dive |
| 2026-04-16 2026 | bypassXSS: A Curated Collection of Advanced XSS Bypass Techniques advanced | Collection of advanced XSS bypass techniques detailing filter types, encoding methods, DOM manipulation, HTML5 abuse, JavaScript context escapes, WAF strategies against Cloudflare and Akamai, framework-specific payloads for AngularJS and React, and CSP misconfigurations. It includes real-world bug bounty case studies and a payload repository for testing tools like DOMPurify and various WAFs. |
| 2026-04-16 2026 | Cross-Site Scripting (XSS) Practical CTF Guide intermediate | Cross-Site Scripting (XSS) Practical CTF Guide |
| 2026-04-10 2026 | Beyond XSS: Mutation XSS Explained beginner | Writeup detailing mutation XSS (mXSS) techniques that exploit browser HTML parsing inconsistencies to bypass sanitizers like DOMPurify. It explains how malformed HTML within SVG and style tags can be mutated by browsers, leading to unexpected DOM structures that allow arbitrary code execution through attributes. The article references a specific DOMPurify vulnerability fixed in version 2.0.1. |
| 2026-04-10 2026 | CVE-2025-26791: DOMPurify Regular Expression Bug for mXSS news | Writeup of CVE-2025-26791 detailing a mutation XSS (mXSS) vulnerability in DOMPurify (versions prior to 3.2.4). The flaw stems from an inadequate regular expression used to sanitize template literals within SVG elements, allowing attackers to craft payloads that bypass initial sanitization. Browsers can then mutate this input during rendering, executing malicious JavaScript, particularly affecting SVG desc and title tags. The vulnerability is exploitable in environments that use DOMPurify for user-supplied HTML and rely on its sanitization before rendering. |
| 2026-04-10 2026 | Bypassing DOMPurify Again with Mutation XSS intermediate | Writeup detailing a bypass of DOMPurify using Mutation XSS (mXSS). The technique leverages HTML comments and specially crafted tags within a `<math>` element to achieve cross-site scripting. The bypass was initially found to work in Chrome by exploiting how DOMPurify handled mutations within text nodes, specifically by placing malicious code within an image's title attribute after an encoded comment. A subsequent bypass was discovered for Firefox, utilizing CDATA tags instead of HTML comments. The vectors are demonstrated using a custom mXSS tool and are relevant for bypassing HTML filters, with the Chrome vector patched in DOMPurify version 2.1. → portswigger.net |
| 2026-04-10 2026 | Penetration Testing of Electron-based Applications beginner | Library for security testing and hardening Electron-based desktop applications, detailing real-world attack vectors and analysis techniques. It covers discovering bundled endpoints, extracting ASAR files, analyzing IPC channels, testing preload bridges, and validating update mechanisms. Techniques include checking dependency vulnerabilities with `npm audit`, inspecting `package.json` for entry points, and analyzing `webPreferences` like `nodeIntegration` and `contextIsolation` for potential XSS and RCE vulnerabilities. |
| 2026-04-10 2026 | DbGate Stored XSS to RCE in Electron (CVE-2026-34725) intermediate | DbGate Stored XSS to RCE in Electron (CVE-2026-34725) → advisories.gitlab.com |
| 2026-04-10 2026 | Intigriti Challenge 0226: Stored XSS & CSP Bypass intermediate | Intigriti Challenge 0226: Stored XSS & CSP Bypass |
| 2026-04-10 2026 | Content Security Policy Bypass Techniques and Security Tips intermediate | Survey of Content Security Policy (CSP) bypass techniques, detailing common misconfigurations and exploitation scenarios. It explains CSP directives like `script-src`, `object-src`, `img-src`, and fetch values such as `'self'`, `'unsafe-inline'`, and `'unsafe-eval'`. The survey covers vulnerabilities arising from improper use of wildcards, missing directives, and the exploitation of JSONP endpoints, offering practical advice for strengthening CSP implementation against attacks like XSS. → vaadata.com |
| 2026-04-10 2026 | Advanced XSS: Bypassing Filters, CSP, and DOM-based XSS intermediate | Library detailing advanced Cross-Site Scripting (XSS) techniques. It covers bypassing filters, Content Security Policy (CSP), and DOM-based XSS, including 2025 attack vectors, AI agent weaponization, polymorphic payloads, sanitizer bypasses, and advanced CSP evasion via CSS and cache. Specific techniques discussed include mutation XSS (mXSS), WebAssembly, Trusted Types, prompt-to-XSS, DOMPurify mutation XSS bypasses (CVE-2025-26791), nonce leakage, postMessage exploitation, Cross-Site WebSocket Hijacking (CSWSH), GraphQL injection to XSS, payload fragmentation, evolved DOM clobbering (CVE-2025-1647), Server-Sent Events (SSE) injection, and Console/DevTools XSS. |
| 2026-04-10 2026 | CSP Bypasses: Advanced Exploitation Guide advanced | Guide detailing Content Security Policy (CSP) bypass techniques, focusing on how misconfigurations allow for XSS exploitation. It covers scenarios like missing CSP declarations, reporting-only modes, non-restrictive directives such as wildcards (`*`) and `unsafe-inline` in `script-src`, and leveraging third-party hosts. The guide references tools like Google CSP Evaluator and common CSP directives, emphasizing that CSP bypasses are typically report-worthy when chained with an actual vulnerability. → intigriti.com |
| 2026-04-10 2026 | Arista Firewall XSS to RCE Chain intermediate | Writeup detailing the exploitation chain of CVE-2025-6980, CVE-2025-6979 (an XSS vulnerability), and CVE-2025-6978 against Arista Next Generation Firewalls. This chain allows for remote code execution by combining an XSS vulnerability that steals administrator credentials with a command injection flaw that grants root privileges, a vulnerability the vendor's patch did not fully remediate. Disabling the captive portal is suggested as a mitigation alongside upgrading to the patched software version. |
| 2026-04-10 2026 | From Stored XSS to Account Takeover intermediate | From Stored XSS to Account Takeover |
| 2026-04-10 2026 | Magento 2.3.1: Unauthenticated Stored XSS to RCE intermediate | Library detailing an unauthenticated stored XSS vulnerability in Magento 2.3.1 that can be chained with authenticated PHAR deserialization for remote code execution. The exploit targets order cancellation notes and leverages an issue in the `escapeHtmlWithLinks()` sanitization method to inject malicious JavaScript. This payload, when triggered by an administrator, allows for session hijacking and subsequent exploitation of a PHAR deserialization flaw within the WYSIWYG editor's image rendering controller, enabling arbitrary code execution. |
| 2026-04-10 2026 | CVE-2025-52367: Stored XSS to RCE in PivotX CMS news | CVE-2025-52367: Stored XSS to RCE in PivotX CMS |
| 2026-04-10 2026 | BXSS Hunter: Blind XSS Scanner Tool intermediate | Tool for detecting blind Cross-Site Scripting (XSS) vulnerabilities by injecting custom payloads into headers and parameters. BxssHunter supports various HTTP methods (PUT, POST, GET, OPTIONS) and allows for payload injection into parameters or custom headers like X-Forwarded-For. It aids in finding vulnerabilities that execute asynchronously, often missed by standard scanners. |
| 2026-04-10 2026 | How to Find XSS Vulnerabilities: Practical Security Guide beginner | Library detailing Cross-Site Scripting (XSS) vulnerabilities, covering reflected, stored, and DOM-based types. It provides practical techniques for manual and automated discovery, recommending tools like Dalfox, XSStrike, and xsshunter, alongside payload resources such as PayloadsAllTheThings and HackTricks. Specific examples include blind XSS in admin dashboards and stored XSS in GitLab wikis, emphasizing the use of polyglots and callback platforms for effective exploitation. → hackerone.com |
| 2026-04-10 2026 | Mastering Blind XSS: Real-World Techniques for High Bounties intermediate | Mastering Blind XSS: Real-World Techniques for High Bounties → infosecwriteups.com |
| 2026-04-10 2026 | Hunting for Blind XSS Vulnerabilities: A Complete Guide beginner | Guide on hunting blind XSS vulnerabilities, this resource details techniques for identifying and exploiting these elusive injection flaws. It covers setting up necessary tooling, including XSSHunter, and provides a range of advanced payloads for injecting external scripts via SVG, image tags, input tags with autofocus, and JavaScript protocols, as well as bypassing Content Security Policy with base tags and exploiting AngularJS. The guide also highlights key areas to test, such as feedback forms and analytics engines. → intigriti.com |
| 2026-04-10 2026 | The Guide to Blind XSS: Advanced Techniques for Bug Bounty Hunters advanced | The Guide to Blind XSS: Advanced Techniques for Bug Bounty Hunters → bugcrowd.com |
| 2026-04-10 2026 | Frontend Security in 2025: Protecting Client-Side Code in React, Vue & More beginner | Library of frontend security practices for 2025, addressing critical risks in React, Vue, and other stacks. It details common vulnerabilities like XSS, session leaks, and insecure token storage (localStorage, accessible cookies), advocating for HttpOnly, Secure, SameSite=Strict cookies. The library also covers rendering vulnerabilities, the importance of Content Security Policy (CSP) configurations, and other web security headers like X-Content-Type-Options and X-Frame-Options. It integrates security checks into CI/CD, suggests sanitization libraries like DOMPurify, and promotes secure architectural decisions. |
| 2026-04-10 2026 | Modern Frontend Security: Beyond XSS and CSRF in 2025 beginner | Modern Frontend Security: Beyond XSS and CSRF in 2025 |
| 2026-04-10 2026 | Cross-site Scripting (XSS) in vue-i18n (CVE-2025-53892) news | Writeup on CVE-2025-53892, detailing a Cross-site Scripting (XSS) vulnerability in vue-i18n. This flaw allows attackers to execute arbitrary JavaScript by injecting malicious payloads into translation strings when `escapeParameterHtml` is set to `true`. Affected versions can be upgraded to 9.14.5, 10.0.8, 11.1.10, or higher to mitigate the risk. → security.snyk.io |
| 2026-04-10 2026 | XSS in 2025: Why It Still Matters and How to Defend Against It beginner | XSS in 2025: Why It Still Matters and How to Defend Against It |
| 2026-04-10 2026 | Why React Didn't Kill XSS: The New JavaScript Injection Playbook intermediate | Guide detailing modern JavaScript injection techniques, including prototype pollution, supply chain compromises via packages like Polyfill.io, and AI prompt injection. It highlights how frameworks like React don't fully prevent XSS, demonstrating vulnerabilities with `dangerouslySetInnerHTML` and recommending context-aware encoding and tools like DOMPurify. The guide also touches on WebAssembly security considerations and emerging AI threats, offering a defense-in-depth approach for developers building secure applications. → thehackernews.com |
| 2026-04-10 2026 | Security Issues in Popular Full-Stack Frameworks beginner | Survey of security issues found in full-stack JavaScript frameworks, including DOM clobbering in React and Vue, cross-site scripting in Next.js, Angular template injection, dependency abuse in UI components, and build-time exploits in Angular and Next.js. These vulnerabilities have been exploited in production and require application-level defenses such as sanitizing attributes, escaping server-rendered data, replacing abandoned third-party components, and monitoring build pipelines. |
| 2026-04-10 2026 | Beyond alert(1): Real XSS Dangers in React & Vue SPAs intermediate | Library detailing real-world Cross-Site Scripting (XSS) dangers in React and Vue Single Page Applications (SPAs). It explains how these frameworks, despite default protections, introduce new attack vectors, particularly DOM-based XSS. The library highlights the risks of `dangerouslySetInnerHTML` in React, `v-html` in Vue, and the vulnerability of `localStorage` for storing authentication tokens like JWTs, leading to session hijacking and silent manipulation of displayed data through API exploitation. |
| 2026-04-10 2026 | XSS Payload Crafting and WAF Bypass: A Beginner-Friendly Guide beginner | XSS Payload Crafting and WAF Bypass: A Beginner-Friendly Guide |
| 2026-04-10 2026 | Bypassing WAFs for Fun and JS Injection with Parameter Pollution intermediate | Tool for bypassing WAFs using ASP.NET's HTTP parameter pollution for JavaScript injection. This technique abuses how ASP.NET concatenates duplicate parameters with commas to construct valid JavaScript payloads that evade signature-based and machine learning WAFs by splitting malicious code across multiple parameters, exploiting inconsistencies in how WAFs parse parameters versus how the ASP.NET framework and JavaScript interpreter process them. |
| 2026-04-10 2026 | XSS Payload WAF Bypass: Advanced Techniques to Evade Microsoft's 2025 Security advanced | Technique for bypassing Microsoft's 2025 WAF using advanced XSS payloads. It details how double-encoded HTML entities like `&%2362;` evade single-layer WAF decoding, and explores using array dereferencing and indirect property access to bypass signature-based detection. The technique also leverages DOM-based triggers, such as `onchange`, as alternatives to commonly monitored events like `onclick`, for more stealthy execution. → undercodetesting.com |
| 2026-04-10 2026 | XSS Filter Evasion: How Attackers Bypass XSS Filters intermediate | Technique for bypassing cross-site scripting (XSS) filters by exploiting browser parsing quirks and encoding methods. Attackers leverage HTML event handlers, JavaScript syntax variations, and malformed HTML to execute malicious scripts, as simple pattern matching and blacklisting prove insufficient. Techniques like URL encoding and HTML entity encoding are used to disguise payloads, making them undetectable by basic filters, and highlighting the necessity of layered security beyond just filtering. → acunetix.com |
| 2026-04-10 2026 | WAF XSS Bypass: Obfuscation and Encoding Techniques intermediate | Library of techniques for bypassing Web Application Firewalls (WAF) and obfuscating Cross-Site Scripting (XSS) payloads. It includes guides on common encoding and obfuscation methods to mask malicious content and lists various WAF bypass strategies with examples, detailing how attackers defeat WAF defenses. |
| 2026-04-10 2026 | WAF Bypass XSS Payloads Collection intermediate | WAF Bypass XSS Payloads Collection |
| 2026-04-10 2026 | CVE-2026-0594: Reflected XSS in WordPress news | CVE-2026-0594 is a reflected XSS vulnerability in the WordPress "List Site Contributors" plugin. Attackers can inject malicious JavaScript through shortcode parameters or AJAX requests, leading to session hijacking, privilege escalation, or site defacement. This vulnerability affects plugin versions 1.0 through 1.2.3, is unauthenticated, and can be exploited via the network. |
| 2026-04-10 2026 | TrustyMon: Practical Detection of DOM-based XSS Using Trusted Types advanced | TrustyMon: Practical Detection of DOM-based XSS Using Trusted Types → dl.acm.org |
| 2026-04-10 2026 | CI4MS Critical Stored XSS (CVE-2026-34569) news | Writeup of CVE-2026-34569, a critical stored Cross-Site Scripting (XSS) vulnerability in CI4MS (versions prior to 0.31.0.0). Attackers with category editing privileges can inject JavaScript into blog category titles, which then executes on public and administrative pages when rendered. The vulnerability stems from insufficient input sanitization and output encoding. → thehackerwire.com |
| 2026-04-10 2026 | CI4MS Stored DOM XSS via Menu Management (CVE-2026-34565) news | Writeup detailing CVE-2026-34565, a critical stored DOM-based XSS in CI4MS versions prior to 0.31.0.0. Exploitation requires authenticated access to inject malicious scripts into navigation menus via the Menu Management functionality, which are then executed when rendered in administrative dashboards or public-facing menus. This vulnerability, with a CVSS score of 9.1, impacts the CI4MS CMS skeleton built on CodeIgniter 4. → thehackerwire.com |
| 2026-04-10 2026 | Homarr DOM-based XSS (CVE-2026-33510) news | Writeup on CVE-2026-33510, a high-severity DOM-based XSS in Homarr (versions prior to 1.57.0). Exploitation involves crafting a malicious link that manipulates the `callbackUrl` parameter on the `/auth/login` page. This parameter is directly passed to client-side navigation functions like `redirect` and `router.push`, allowing attackers to execute arbitrary JavaScript within a victim's browser session. This can lead to credential theft, internal network pivoting, and unauthorized actions. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2025-67906: MISP Stored XSS via Workflow Engine news | Writeup of CVE-2025-67906 details a Stored Cross-Site Scripting (XSS) vulnerability in MISP versions up to 2.5.27, stemming from unsanitized workflow trigger names rendered via the doT.js template engine. An authenticated attacker can inject HTML/JavaScript into the `name` field of workflow triggers, which is then executed in the browser of any user viewing that workflow. This allows for session hijacking, data exfiltration, and credential harvesting, with payloads bypassing Content Security Policy by using `window.location` for data exfiltration. |
| 2026-04-10 2026 | How I Hacked a Web App Using Stored XSS to Steal Sessions intermediate | Writeup detailing a stored XSS exploit against a web application, leading to admin session theft and account takeover. The exploit leveraged an unescaped bio field to inject JavaScript, targeting an admin who routinely reviewed user profiles. Crucially, the application lacked Content Security Policy, had non-HttpOnly cookies, and failed to properly encode user-generated content in support ticket comments and profile bios, allowing for critical vulnerabilities like performing admin actions and creating new admin accounts via alternative payloads. |
| 2026-04-10 2026 | 10 Practical Scenarios for XSS Attacks beginner | Scenarios illustrate practical XSS attacks, detailing reflected, persistent, and DOM-based vulnerabilities. The content focuses on exploiting web applications, including techniques for session hijacking by stealing cookies via JavaScript payloads, and shows how to craft malicious payloads using examples like injecting `<script>alert(document.cookie)</script>` into vulnerable parameters within DVWA. |
| 2026-04-10 2026 | Reflected XSS: Advanced Exploitation Guide advanced | Guide to hunting and exploiting reflected XSS vulnerabilities. This guide details a three-step methodology for identifying reflection points, testing for injection possibilities by breaking out of HTML or JavaScript contexts, and crafting proof-of-concept payloads. It covers generic HTML, HTML attribute, and JavaScript contexts, offering examples such as `<script>alert(1)</script>` and `<img src=x onerror=alert(1)>`, and explains how to handle filtered inputs. The resource also distinguishes reflected XSS from stored XSS and DOM-based XSS. → intigriti.com |
| 2026-04-10 2026 | Weaponizing Cross Site Scripting: When One Bug Isn't Enough advanced | Technique guide detailing how Cross-Site Scripting (XSS) can be weaponized by chaining it with vulnerabilities like open redirects, CSRF, weak CSP, insecure JSON logging leading to account takeover, file upload flaws for RCE, abusing administrative functions, and improper `postMessage` usage causing token leakage. It emphasizes that XSS rarely exists in isolation and attackers combine multiple weaknesses to escalate impact, making layered defenses crucial. → microsoft.com |
| 2026-04-10 2026 | XSS Exploitation in 2025: Advanced Techniques, AI Integration, and Evasion Strategies advanced | XSS Exploitation in 2025: Advanced Techniques, AI Integration, and Evasion Strategies |
| 2026-04-10 2026 | XSS Attacks: From Basics to Advanced Post-Exploitation (2025 Edition) intermediate | Library for mastering Cross-Site Scripting (XSS) attacks, covering fundamental concepts to advanced post-exploitation techniques. It details Stored XSS, Reflected XSS, and DOM-Based XSS, alongside manual and automated testing methods using tools like XSStrike, Dalfox, and KXSS. The guide explores filter bypasses, crafting advanced payloads, and exploitation scenarios including cookie stealing and session hijacking. It also addresses XSS prevention for developers, CSP bypasses, and integrating XSS with tools like BeEF for chained attacks. |
| 2026-04-10 2026 | Discovering and Exploiting XSS Vulnerabilities — My First Bug Hunting Reward beginner | Discovering and Exploiting XSS Vulnerabilities — My First Bug Hunting Reward |
| 2026-04-10 2026 | How I Found a Critical XSS On a Public Bug Bounty Program intermediate | How I Found a Critical XSS On a Public Bug Bounty Program |
| 2026-04-10 2026 | BugBounty Hunting for XSS in 2025 beginner | BugBounty Hunting for XSS in 2025 |
| 2026-04-10 2026 | Apple Developer Stored XSS — $5,000 Bounty Writeup intermediate | Apple Developer Stored XSS — $5,000 Bounty Writeup |
| 2026-04-06 2026 | Browser-Based Attacks in 2026: What Every Startup Needs to Know beginner | Guide to 2026 browser-based attacks, detailing threats like ClickFix, AITM phishing (Tycoon 2FA), and malicious OAuth apps (ConsentFix). It highlights how these attacks bypass traditional security, exploiting user trust and evolving tactics to steal credentials and session tokens through methods like infostealer malware (LummaStealer) and compromised browser extensions. The guide also covers session hijacking, malicious file delivery, and the critical vulnerability of SaaS applications and internal tools to such exploits. |
| 2026-04-06 2026 | CVE-2025-1647: Bootstrap 3 XSS Vulnerability via DOM Clobbering news | Writeup on CVE-2025-1647, a medium-severity XSS vulnerability in Bootstrap 3's Tooltip and Popover components. The flaw leverages DOM clobbering to bypass HTML sanitization, enabling script execution. Versions 3.4.1 through 3.x are affected, and due to Bootstrap 3 being end-of-life, HeroDevs offers NES for Bootstrap v3.4.7 as a remediated drop-in replacement, resolving this and other known Bootstrap 3 CVEs. |
| 2026-04-06 2026 | CVE-2026-32629: phpMyFAQ XSS Vulnerability news | Writeup of CVE-2026-32629 in phpMyFAQ details a stored Cross-Site Scripting (XSS) vulnerability exploitable by unauthenticated attackers. Malicious HTML and JavaScript can be injected via crafted email addresses within RFC 5321 quoted local parts. This bypasses PHP validation and sanitization, leading to persistent XSS execution in admin sessions due to the unsafe use of Twig's `|raw` filter when rendering email addresses. Versions prior to 4.1.1 are affected. → sentinelone.com |
| 2026-04-06 2026 | Cross-site leaks (XS-Leaks) - Security - MDN Web Docs intermediate | Guide to Cross-site Leaks (XS-Leaks), a class of attacks where an attacker's site derives information about a target site or user by leveraging web platform APIs. This guide details techniques such as leaking page existence via error events, frame counting using window references, and detecting redirects with Content Security Policy (CSP), illustrating how these attacks can reveal user login status or sensitive information. It explains the common underlying weaknesses that enable these exploits and offers general defenses against them. |
| 2026-04-06 2026 | Site-DOM-XSS using Cookie Injection: The AI Hackers are Coming intermediate | Site-DOM-XSS using Cookie Injection: The AI Hackers are Coming |
| 2026-04-03 2026 | Awesome Bug Bounty Writeups - Curated List by Bug Type beginner Bug Bounty | Library of curated bug bounty writeups detailing successful exploitation of vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL injection, and Server-Side Request Forgery (SSRF). Entries cover specific bypass techniques for WAFs, filter evasion methods, and numerous real-world examples from major vendors like Google, Microsoft, Facebook, and Amazon, often detailing the path to account takeover or remote code execution. |
| 2026-04-03 2026 | XSS Exploit Payloads - DOM, Reflected, Stored, and WAF Bypass intermediate | Library of curated, battle-tested Cross-Site Scripting (XSS) exploit payloads. This repository offers a collection of effective techniques for exploiting DOM-based, reflected, and stored XSS vulnerabilities, including various methods for bypassing Web Application Firewalls (WAFs). The payloads cover a range of attack vectors, such as JavaScript `prompt()`, `eval()`, and event handler exploitation within HTML elements like `<img>`, `<svg>`, and `<iframe>`. |
| 2026-04-03 2026 | Stored XSS Vulnerability WAF Bypass Writeup intermediate | Stored XSS Vulnerability WAF Bypass Writeup |
| 2026-04-03 2026 | Reflected XSS with WAF Bypass — A Creative Payload That Worked intermediate | Reflected XSS with WAF Bypass — A Creative Payload That Worked |
| 2026-04-03 2026 | DOM-Based XSS in Single Page Applications (SPAs): A Complete Guide intermediate | DOM-Based XSS in Single Page Applications (SPAs): A Complete Guide |
| 2026-04-03 2026 | The Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd intermediate | The Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd → bugcrowd.com |
| 2026-04-03 2026 | How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOne intermediate | Writeup detailing how a reflected XSS vulnerability on yelp.com, stemming from unescaped cookie values and a cookie parsing issue, enabled account takeovers. The vulnerability allowed for persistent XSS payloads, simulated credential theft via a keylogger, and facilitated linking external accounts. Remediation involved validating and sanitizing user input, and removing the ability to set cookies via query parameters. → hackerone.com |
| 2026-04-03 2026 | XSS Attacks & Exploitation: The Ultimate Guide | YesWeHack intermediate | Guide to XSS attacks and exploitation, covering reflected, stored, and DOM variants. It details detection methods, exploitation techniques, and real-world scenarios, emphasizing why mastering XSS, CWE-79, is crucial for bug bounty hunters and ethical hackers. The guide explains how to leverage user input to inject malicious JavaScript, leading to session hijacking, account takeovers, and data exfiltration. It also explores chaining vulnerabilities like CSRF with authenticated reflected XSS for greater impact, and discusses payload obfuscation for stored XSS. → yeswehack.com |
| 2026-04-03 2026 | Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwigger intermediate | Cheatsheet detailing Cross-Site Scripting (XSS) vectors, regularly updated and featuring bypass techniques for WAFs and filters. It categorizes vectors by event handlers, tags, and browser compatibility, including proof-of-concept code for numerous scenarios such as JavaScript hoisting, file upload restrictions, and bypassing specific browser limitations with techniques like exception handling and template strings. → portswigger.net |
| 2026-03-30 2026 | Stored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover news | Stored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover https://ift.tt/chvJTgR → cybersecuritynews.com |
| 2026-03-30 2026 | Stored XSS Flaw in Jira Work Management Could Enable Full Org Compromise news | Stored XSS Flaw in Jira Work Management Could Enable Full Org Compromise https://ift.tt/tBU50wa → cyberpress.org |
| 2026-03-30 2026 | Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization Takeover news | Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization Takeover https://ift.tt/NBDfQXj → gbhackers.com |
| 2026-03-26 2026 | Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website news | Library for securing AI browser extensions, this analysis details the ShadowPrompt vulnerability (CVE-2025-XXXX) in Anthropic's Claude Chrome Extension. The flaw exploited an overly permissive origin allowlist combined with a DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component, enabling zero-click prompt injection and potential data theft. A patch has since been deployed. → thehackernews.com |
| 2026-03-26 2026 | CISA and FBI release secure-by-design guidelines on cross-site scripting beginner | Alert from CISA and FBI providing secure-by-design guidelines to eliminate cross-site scripting (XSS) vulnerabilities. The alert details how XSS exploits user trust, enabling session hijacking, data theft, and malware installation, referencing past attacks like the ResumeLooters breach and the Fortnite incident. It advocates for proactive measures including input validation, output encoding, and Content Security Policies (CSP), aligning with broader secure-by-design principles for developers to build security into applications from inception. |
| 2026-03-21 2026 | PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks news | Library for identifying and mitigating the PolyShell vulnerability in Magento and Adobe Commerce REST APIs. This critical flaw allows unauthenticated attackers to upload executable files, potentially leading to RCE or account takeover. The vulnerability has existed since Magento 2's initial release and impacts versions up to 2.4.9-alpha2, with affected releases prior to 2.3.5 also susceptible to XSS. While a fix exists in the 2.4.9 pre-release, no standalone patch is available for production versions, necessitating real-time WAF blocking and strict server configurations to protect upload directories. → securityaffairs.com |
| 2026-03-20 2026 | Russian APT Exploits Zimbra XSS In GhostMail Attacks On Ukrainian Government news | Russian APT Exploits Zimbra XSS In GhostMail Attacks On Ukrainian Government https://cyberpress.org/ghostmail-targets-ukraine-mail/ → cyberpress.org |
| 2026-03-20 2026 | Magento PolyShell Flaw Enables Unauthenticated Uploads RCE and Account Takeover intermediate | Library for securing Magento, addressing the PolyShell vulnerability (CVE-2026-XXXX) that allows unauthenticated arbitrary file uploads to achieve RCE or account takeover. This critical flaw, affecting Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, exploits the REST API's handling of custom options with file types by writing uploaded data to `pub/media/custom_options/quote/`. Exploitation involves disguised polyglot files that embed executable PHP code within image formats, leading to web shells and password-protected RCE shells. Mitigation strategies include restricting access to the upload directory and implementing web server rules to block access. → thehackernews.com |
| 2026-03-20 2026 | Russian APT Exploits Zimbra XSS to Target Ukrainian Government in Operation GhostMail news | Russian APT Exploits Zimbra XSS to Target Ukrainian Government in ‘Operation GhostMail’ https://ift.tt/XoOLnMt → cybersecuritynews.com |
| 2026-03-19 2026 | Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376 news | Writeup of CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration exploited by Russian APT groups targeting Ukraine. The flaw, with a CVSS score of 7.2, allowed attackers to execute scripts via specially crafted HTML emails, enabling credential theft, session token compromise, and mailbox data exfiltration. Nation-state actors, potentially APT28, leveraged this vulnerability, dubbed Operation GhostMail, to target entities including Ukraine's State Hydrology Agency. Synacor has since released patches, and CISA has added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog. → securityaffairs.com |
| 2026-03-19 2026 | Russian APT Exploits Zimbra Vulnerability Against Ukraine news | Writeup detailing CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration's Classic UI, exploited by Russian APT28 (Forest Blizzard) in attacks against Ukraine. This flaw, addressable via CSS @import directives in email HTML, allows for credential theft, session token exfiltration, and mailbox data extraction. CISA has added this vulnerability to its KEV catalog, mandating patches for federal agencies. → securityweek.com |
| 2026-03-18 2026 | When HttpOnly Isnt Enough: Chaining XSS and GhostScript for Full RCE Compromise advanced | Library for analyzing vulnerabilities in document processing applications, specifically detailing a chained attack that bypasses HttpOnly cookie protections via an unauthenticated XSS vulnerability. This XSS allows an attacker to steal an administrator's session cookie by exploiting a GWT RPC endpoint that reflects sensitive information. Further, the library demonstrates how to achieve Remote Code Execution by injecting commands into GhostScript rendering options, disabling its SAFER mode to execute arbitrary operating system commands. → securityboulevard.com |
| 2026-03-18 2026 | CISA orders feds to patch Zimbra XSS flaw exploited in attacks news | Writeup of CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic UI. Exploitable via malicious HTML emails, this flaw allows remote unauthenticated attackers to execute arbitrary JavaScript, potentially hijacking sessions and stealing data. CISA mandated federal agencies patch this actively exploited flaw, which has seen prior exploitation of Zimbra vulnerabilities by groups like Winter Vivern. → bleepingcomputer.com |
| 2026-03-17 2026 | Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks news | Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks https://ift.tt/FtpE0RI → cybersecuritynews.com |
| 2026-03-17 2026 | Angular XSS Vulnerability Puts Thousands of Web Apps at Risk news | Angular XSS Vulnerability Puts Thousands of Web Apps at Risk https://cyberpress.org/angular-xss-vulnerability/ → cyberpress.org |
| 2026-03-17 2026 | Angular XSS Vulnerability Threatens Thousands of Web Applications news | Angular XSS Vulnerability Threatens Thousands of Web Applications https://ift.tt/CsxVb9J → gbhackers.com |
| 2026-03-14 2026 | Persistent XSS/RCE using WebSockets in Storybooks dev server news | Library of JavaScript code and examples addressing CVE-2026-27148, a high-severity WebSocket hijacking vulnerability in Storybook's dev server. This vulnerability can lead to persistent Cross-Site Scripting (XSS) and Remote Code Execution (RCE) by allowing attackers to inject malicious code into story files. Exploitation can occur via publicly exposed dev servers or through a malicious webpage visited by a developer running a local instance, potentially compromising credentials, system access, and network resources, and even propagating through version control and CI/CD pipelines. → aikido.dev |
| 2026-03-12 2026 | GitLab Security Update - Patch for XSS and API DoS Vulnerabilities news | GitLab Security Update - Patch for XSS and API DoS Vulnerabilities https://ift.tt/WObhDLV → cybersecuritynews.com |
| 2026-03-04 2026 | Critical XSS Vulnerability in Angular i18n Enables Malicious Code Execution news | Critical XSS Vulnerability in Angular i18n Enables Malicious Code Execution https://ift.tt/MaisAIy → cybersecuritynews.com |
| 2026-03-03 2026 | Severe XSS Vulnerability in Angular i18n Enables Malicious Script Injection news | Severe XSS Vulnerability in Angular i18n Enables Malicious Script Injection https://cyberpress.org/severe-xss-vulnerability/ → cyberpress.org |
| 2026-03-03 2026 | Angular i18n Flaw Lets Hackers Execute Malicious Code via Critical XSS Vulnerability news | Angular i18n Flaw Lets Hackers Execute Malicious Code via Critical XSS Vulnerability https://ift.tt/Zxys3rh → gbhackers.com |
| 2026-02-28 2026 | Stored XSS Flaw in RustFS Console Leaks Admin S3 Credentials news | Stored XSS Flaw in RustFS Console Leaks Admin S3 Credentials https://cyberpress.org/stored-xss-flaw-in-rustfs-console-leaks-admin-s3-credentials/ → cyberpress.org |
| 2026-02-27 2026 | Stored XSS Vulnerability in RustFS Console Puts S3 Admin Credentials at Risk news | A stored XSS vulnerability in RustFS Console has been identified, posing a risk to S3 admin credentials. This vulnerability can potentially be exploited to compromise sensitive data stored in S3 buckets. It highlights the importance of addressing security flaws promptly to prevent unauthorized access to critical information. Users are advised to update their systems and take necessary precautions to mitigate the risk of exploitation. → gbhackers.com |
| 2026-02-26 2026 | Mozilla Releases Firefox 148 With New Sanitizer API to Block XSS Attacks news | Mozilla has launched Firefox 148 featuring a new Sanitizer API to prevent XSS attacks. This update aims to enhance security by blocking cross-site scripting attacks, a common vulnerability exploited by hackers. The Sanitizer API helps sanitize input data to prevent malicious scripts from executing on web pages, thus safeguarding users from potential security threats. This release underscores Mozilla's commitment to improving browser security and protecting users' online experiences. → cyberpress.org |
| 2026-02-26 2026 | Firefox 148 Released With Sanitizer API to Disable XSS Attack news | Firefox 148 has been released with a Sanitizer API aimed at preventing XSS attacks. This new feature enhances security by disabling cross-site scripting attacks. The Sanitizer API is designed to protect users from malicious scripts that could exploit vulnerabilities in web applications. This update aims to improve the overall security of the Firefox browser and provide users with a safer browsing experience. → cybersecuritynews.com |
| 2026-02-26 2026 | Firefox 148 Unveils New Sanitizer API to Mitigate XSS Attacks in Web Applications news | Firefox version 148 introduces a new Sanitizer API to combat XSS (cross-site scripting) attacks in web applications. This new feature aims to enhance security by sanitizing user input and preventing malicious scripts from executing. XSS attacks are a common vulnerability exploited by attackers to inject harmful code into websites. The Sanitizer API in Firefox 148 offers a proactive defense mechanism to safeguard web applications and protect users from potential security threats. → gbhackers.com |
| 2026-02-25 2026 | XSS Bug in VS Code Extension Exposed Local Files news | Writeup on a cross-site scripting (XSS) vulnerability in the official Live Preview VS Code extension, impacting versions up to 0.4.16. This flaw allowed malicious websites to enumerate local files and exfiltrate sensitive data, including API keys and source code, by exploiting improper input sanitization in the extension's embedded HTTP server. Mitigation strategies include updating the extension, disabling non-essential plugins, implementing host firewalls, and utilizing secure secret management. → esecurityplanet.com |
| 2026-02-23 2026 | Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks news | Research report on zero-day vulnerabilities in PDF platforms, specifically Foxit and Apryse, detailing 13 categories and 16 flaws discovered. The findings include critical XSS and OS command injection vulnerabilities, such as CVE-2025-70402 and CVE-2025-70400 in Apryse WebViewer, CVE-2025-70401 allowing script execution via PDF comments, and CVE-2025-66500 in Foxit web plugins. These flaws enable one-click attacks and command execution, highlighting trust boundary failures in modern PDF applications. → hackread.com |
| 2026-02-22 2026 | Jenkins Vulnerability Exposes Build Environments to XSS Attacks news | The content discusses a vulnerability in Jenkins that exposes build environments to cross-site scripting (XSS) attacks. This vulnerability can potentially allow attackers to inject malicious scripts into the Jenkins environment, compromising the security of the build process. It highlights the importance of addressing this vulnerability promptly to prevent exploitation and protect sensitive data. → secnews.gr |
| 2026-02-20 2026 | Critical Jenkins Flaw Exposes Build Environments to XSS Attacks news | A critical flaw in Jenkins exposes build environments to cross-site scripting (XSS) attacks. The vulnerability could allow attackers to inject malicious scripts into Jenkins builds, potentially leading to unauthorized access or data theft. Jenkins users are advised to update their software to the latest version to mitigate the risk of exploitation. → gbhackers.com |
| 2026-02-20 2026 | Critical Jenkins Vulnerability Exposes Build Environments to XSS Attacks news | A critical vulnerability in Jenkins exposes build environments to cross-site scripting (XSS) attacks. This vulnerability poses a significant risk to Jenkins users as it can be exploited to compromise build environments. XSS attacks can lead to unauthorized access, data theft, and other security breaches. Jenkins users are advised to update their systems promptly to protect against this vulnerability and ensure the security of their build environments. → cybersecuritynews.com |
| 2026-02-18 2026 | Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks news | A Microsoft VS Code extension with 11 million downloads has been found to expose developers to one-click cross-site scripting (XSS) attacks. This vulnerability could potentially allow attackers to execute malicious code on developers' systems with a single click. Developers are advised to be cautious and consider the security implications of using this extension. → cybersecuritynews.com |
| 2026-02-13 2026 | Zimbra Security Update - Patch for XSS XXE & LDAP Injection Vulnerabilities news | Zimbra released a security update to address vulnerabilities including XSS, XXE, and LDAP injection. Users are advised to apply the patch to protect their systems from potential security risks. → cybersecuritynews.com |
| 2026-02-13 2026 | Critical Zimbra Vulnerabilities Fixed: XSS XXE and LDAP Injection Risks Mitigated news | The article discusses critical vulnerabilities in Zimbra that have been fixed to mitigate risks of XSS, XXE, and LDAP injection. The vulnerabilities were addressed to enhance the security of Zimbra systems. More information can be found at the provided link. → cyberpress.org |
| 2026-02-13 2026 | Zimbra Issues Security Update to Address XSS XXE and LDAP Injection Flaws news | Zimbra has released a security update to fix vulnerabilities including XSS, XXE, and LDAP injection flaws. These flaws could potentially be exploited by attackers to compromise the security of Zimbra systems. Users are advised to promptly apply the security update to protect their systems from these vulnerabilities. → gbhackers.com |
| 2026-02-11 2026 | FortiSandbox XSS Vulnerability Allows Remote Command Execution news | Writeup detailing CVE-2025-52436, a reflected XSS vulnerability in FortiSandbox's web interface that allows unauthenticated remote command execution. Insufficient input sanitization enables attackers to inject malicious JavaScript, which, when rendered by a privileged user, can grant command-line access to the underlying system. Affected versions require prompt patching or migration, and mitigation strategies include access restrictions, WAF deployment, log monitoring, and incident response planning. → esecurityplanet.com |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks news | GitLab has addressed several vulnerabilities that could lead to Denial of Service (DoS) and Cross-site Scripting (XSS) attacks. By patching these vulnerabilities, GitLab aims to enhance the security of its platform and protect users from potential exploitation. It is crucial for users to update their GitLab installations promptly to mitigate the risk of these security threats. → cybersecuritynews.com |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks news | GitLab has addressed multiple vulnerabilities that could lead to Denial of Service (DoS) and Cross-Site Scripting (XSS) attacks. The patches aim to prevent potential security risks associated with these vulnerabilities. Users are advised to update their GitLab installations to the latest version to mitigate the risk of exploitation. More details can be found at the provided link. → cyberpress.org |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks news | GitLab has addressed several vulnerabilities that could lead to Denial of Service (DoS) and Cross-Site Scripting (XSS) attacks. These vulnerabilities have been patched to prevent potential exploitation. It is crucial for GitLab users to update their systems promptly to mitigate the risks associated with these security flaws. → gbhackers.com |
| 2026-02-10 2026 | FortiSandbox XSS Vulnerability Let Attackers Run Arbitrary Commands news | The FortiSandbox XSS vulnerability allows attackers to execute arbitrary commands. This security flaw poses a risk as it enables attackers to run unauthorized commands on the affected system. Organizations using FortiSandbox should be aware of this vulnerability and take necessary precautions to mitigate the risk of exploitation. → cybersecuritynews.com |
| 2026-02-06 2026 | DOM Invader beginner | Tool for testing DOM XSS vulnerabilities, DOM Invader is an extension preinstalled in Burp's browser. It aids in identifying controllable sinks, logging and modifying `postMessage` calls for web message DOM XSS, and automatically detecting prototype pollution and DOM clobbering vulnerabilities. Its configurable nature allows for fine-tuning to suit various websites and use cases. → portswigger.net |
| 2026-02-06 2026 | bjrjk/js-vuln-studies: A collection of in-depth studies authored by me on JavaScript engine vulnerabilities. advanced | A collection of in-depth studies authored by me on JavaScript engine vulnerabilities. - bjrjk/js-vuln-studies |
| 2026-02-04 2026 | Foxit PDF Editor XSS Flaws Patched In February 2026 news | Writeup of Foxit PDF Editor XSS vulnerabilities CVE-2026-1591 and CVE-2026-1592, which allow arbitrary JavaScript execution in user browsers by injecting payloads into file names or layer names. A related flaw, CVE-2025-65523 in Foxit eSign, also permits XSS via manipulated URL parameters. All issues are patched with improved input validation and output encoding. → thecyberexpress.com |
| 2026-02-03 2026 | Foxit PDF Editor Vulnerabilities Let Attackers Execute Arbitrary JavaScript news | The Foxit PDF Editor has vulnerabilities that allow attackers to execute arbitrary JavaScript. This security flaw can be exploited by malicious actors to run unauthorized code within PDF documents, potentially leading to harmful consequences. Users of Foxit PDF Editor should be cautious and consider updating their software to protect against these vulnerabilities. → cybersecuritynews.com |
| 2026-02-03 2026 | Foxit PDF Editor Vulnerability Allows Attackers to Execute Arbitrary JavaScript news | A vulnerability in Foxit PDF Editor enables attackers to execute arbitrary JavaScript. This flaw poses a security risk as it allows malicious actors to run code on affected systems. Users of Foxit PDF Editor should be cautious and consider updating their software to protect against potential attacks exploiting this vulnerability. More details can be found at the provided link. → cyberpress.org |
| 2026-02-01 2026 | TrinetLayer advanced | A battle-tested TrinetLayer for vulnerability research, real-world exploit payloads, and modern attack techniques — crafted by hackers, trusted by hackers. |
| 2026-01-27 2026 | XSS in Live Preview Microsoft VS Code Extension with 11M Downloads news | Writeup of an XSS vulnerability in the Microsoft VS Code Live Preview extension, affecting over 11 million users. The vulnerability allowed remote attackers to exfiltrate local files, including sensitive credentials and API keys, by exploiting the extension's embedded HTTP server. The issue, which enabled data exfiltration, was responsibly disclosed to Microsoft and patched in version 0.4.16. → ox.security |
| 2026-01-22 2026 | Testing for reflected XSS manually with Burp Suite intermediate | Library for testing reflected XSS with Burp Suite's Repeater. This method involves identifying HTTP requests that reflect user input and then manipulating those requests to inject proof-of-concept XSS payloads. The technique focuses on input validation and server-side sanitization, utilizing Burp Repeater to directly modify requests and observe the immediate response for successful payload execution within HTML contexts, such as the example `alert()` function. → portswigger.net |
| 2026-01-21 2026 | Testing for stored XSS with Burp Suite intermediate | Library for manually testing stored XSS vulnerabilities using Burp Suite. It details identifying input and output points by submitting unique values and filtering HTTP history, then using Repeater to send proof-of-concept payloads like `<script>alert(1)</script>` to test for execution. → portswigger.net |
| 2026-01-19 2026 | Bypassing XSS filters by enumerating permitted tags and attributes intermediate | Tool for bypassing XSS filters by enumerating permitted HTML tags and attributes. Utilizing Burp Intruder, this method systematically tests potential tags and attributes that an application might allow, revealing which elements are not filtered. This technique is particularly useful when standard proof-of-concept XSS payloads fail, enabling the construction of effective XSS attacks against applications with input validation mechanisms. → portswigger.net |
| 2026-01-19 2026 | Critical XSS Vulnerability in StealC Malware Admin Panel Allows Researchers to Infiltrate and Monitor Threat Actor Operations news | Writeup of a persistent XSS vulnerability in the StealC malware admin panel, version 2.0, which allowed researchers to infiltrate and monitor threat actor operations. Exploitation led to the exfiltration of session cookies and system fingerprints from operators like YouTubeTA, revealing their location and hardware. The flaw enabled the observation of live sessions, stolen data, and malware management, demonstrating that even criminal infrastructure is susceptible to common web application vulnerabilities. → rescana.com |
| 2026-01-19 2026 | TrinetLayer intermediate Bug Bounty | TrinetLayer is a proven tool used for vulnerability research, real-world exploit payloads, and modern attack techniques. It is created by hackers and is widely trusted within the hacker community for its effectiveness. |
| 2026-01-18 2026 | Account Takeover in Facebook mobile app due to usage of cryptographically unsecure random number generator and XSS in Facebook JS SDK intermediate Mobile | Library for analyzing the Facebook JavaScript SDK, detailing how a DOM-based XSS vulnerability in the Customer Chat plugin, stemming from unescaped `iconSVG` injection, can be exploited. The exploit is made possible by an account takeover scenario facilitated by a weak cryptographic primitive: `Math.random()` used for generating callback identifiers, which are then exposed via `window.name` of plugin iframes and can be predicted after forcing reinitialization of the SDK. |
| 2026-01-17 2026 | Testing for DOM XSS with DOM Invader intermediate | Tool for testing DOM-based XSS vulnerabilities, DOM Invader injects unique strings into untrusted data sources and identifies controllable sinks where data is written unsafely to the DOM. It simplifies manual JavaScript analysis by visualizing data flow, enabling testers to efficiently locate and exploit DOM XSS flaws within applications, particularly by analyzing `document.write` sinks and `location.search` sources. → portswigger.net |
| 2026-01-17 2026 | Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account Takeover news | The content discusses critical Cross-Site Scripting (XSS) vulnerabilities found in Meta Conversion API that allow attackers to take over accounts without any user interaction, known as Zero-Click Account Takeover. These vulnerabilities pose a significant security risk and highlight the importance of addressing XSS issues promptly to prevent unauthorized access to user accounts. → gbhackers.com |
| 2026-01-17 2026 | Exploiting XSS in Meta Conversion API for Zero-Click Account Takeover intermediate | The content discusses exploiting Cross-Site Scripting (XSS) vulnerabilities in Meta Conversion API to achieve a Zero-Click Account Takeover. The article likely provides insights into how attackers can leverage XSS flaws in the API to compromise user accounts without any interaction required from the victim. This type of attack can be highly dangerous as it allows malicious actors to gain unauthorized access to accounts easily. The link provided likely offers more in-depth information on this security issue and its implications. → cyberpress.org |
| 2026-01-16 2026 | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability (CVE-2026-20076) news | Writeup of CVE-2026-20076, a stored cross-site scripting vulnerability in Cisco Identity Services Engine's web-based management interface. Exploitation requires administrative credentials and involves injecting malicious code into specific pages, allowing script execution or access to sensitive browser-based information. Cisco has released software updates to address this issue. |
| 2026-01-15 2026 | CISAs secure-software buying tool had a simple XSS vulnerability of its own news | Writeup of a cross-site scripting (XSS) vulnerability in CISA's "Software Acquisition Guide: Supplier Response Web Tool." The flaw, discovered by OWASP former leader Jeff Williams, allowed for JavaScript injection and potential website defacement. While CISA addressed and patched the vulnerability, its discovery highlighted potential gaps in basic security testing for tools intended to promote secure software development. → cyberscoop.com |
| 2026-01-13 2026 | Lack of isolation in agentic browsers resurfaces old vulnerabilities intermediate | Library for analyzing agentic browser security, detailing a threat model with four trust zones and four violation classes: INJECTION, CTX_IN, REV_CTX_IN, and CTX_OUT. It outlines real-world exploits like false information dissemination and session confusion, enabled by inadequate isolation and prompt injection vulnerabilities, resurfacing older web attack patterns such as XSS and CSRF. Recommendations focus on extending the Same-Origin Policy to AI agents. → securityboulevard.com |
| 2026-01-13 2026 | New Angular Vulnerability Enables an Attacker to Execute Malicious Payload news | A new vulnerability in Angular allows attackers to execute malicious payloads. This vulnerability poses a security risk as it can be exploited by attackers to compromise systems running Angular applications. It is crucial for users and developers to be aware of this issue and take necessary precautions to mitigate the risk of exploitation. Stay informed about security updates and patches released by Angular to protect against potential attacks leveraging this vulnerability. → cybersecuritynews.com |
| 2026-01-13 2026 | New Angular Vulnerability Enables Attackers to Execute Malicious Payloads news | A new vulnerability in Angular allows attackers to execute malicious payloads. This security flaw poses a risk as it can be exploited by cybercriminals to compromise systems using Angular. Organizations using Angular should be aware of this vulnerability and take necessary precautions to protect their systems from potential attacks. It is crucial to stay informed about security threats and promptly apply patches or updates to mitigate the risk of exploitation. → cyberpress.org |
| 2026-01-13 2026 | New Angular Vulnerability Allows Attackers to Execute Malicious Payloads news | A new vulnerability in Angular has been discovered, enabling attackers to execute malicious payloads. This security flaw poses a risk to systems using Angular, potentially allowing unauthorized code execution. Organizations using Angular should be vigilant and apply patches or updates to mitigate this vulnerability. It is crucial to stay informed about security risks and promptly address any vulnerabilities to protect systems and data from exploitation by malicious actors. → gbhackers.com |
| 2026-01-09 2026 | OWASP CRS Vulnerability Enables Charset Validation Bypass news | The content discusses a vulnerability in the OWASP CRS (Core Rule Set) that allows attackers to bypass charset validation. This vulnerability could potentially be exploited by malicious actors to evade security measures and launch attacks. It highlights the importance of addressing and patching vulnerabilities promptly to enhance cybersecurity defenses and protect systems from potential threats. → gbhackers.com |
| 2026-01-09 2026 | OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation news | The OWASP CRS vulnerability enables attackers to bypass charset validation, as reported on cyberpress.org. This vulnerability poses a security risk by allowing malicious actors to circumvent charset validation measures. Organizations using OWASP CRS should be aware of this issue and take necessary steps to mitigate the vulnerability to prevent potential attacks. → cyberpress.org |
| 2026-01-04 2026 | XSSNow - The Ultimate XSS Payload Database beginner | The content provided is a link to XSSNow, which is described as the Ultimate XSS Payload Database. The website likely contains a comprehensive collection of cross-site scripting (XSS) payloads that can be used for testing and research purposes. XSS vulnerabilities are a common security issue on websites, and having access to a database of payloads can help security professionals and developers better understand and mitigate these risks. The link provided likely leads to a resource that can assist in testing and securing web applications against XSS attacks. |
| 2026-01-01 2026 | CVE-2025-23469 Impact Exploitability and Mitigation Steps news | The content discusses the CVE-2025-23469 vulnerability, focusing on its impact, exploitability, and mitigation steps. It provides insights into the potential consequences of the vulnerability, the likelihood of it being exploited, and steps that can be taken to mitigate the risks associated with it. The link provided directs to further details on the vulnerability in the Wiz vulnerability database. → wiz.io |
| 2025-12-23 2025 | Turning List-Unsubscribe into an SSRF/XSS Gadget intermediate SSRF | Library detailing exploitation of the `List-Unsubscribe` SMTP header. This header, intended for email list management, can be abused to trigger Cross-Site Scripting (XSS) via JavaScript URIs, as demonstrated with Horde Webmail (CVE-2025-68673). It can also facilitate Server-Side Request Forgery (SSRF) when email clients initiate unsubscription requests server-side, exemplified by Nextcloud Mail App under specific configuration. |
| 2025-12-21 2025 | Roundcube Vulnerabilities Allow Attackers to Execute Malicious Scripts news | The content discusses vulnerabilities in Roundcube, a popular webmail software, that allow attackers to execute malicious scripts. These vulnerabilities could potentially lead to unauthorized access and compromise of sensitive information. It highlights the importance of promptly addressing security flaws in software to prevent exploitation by malicious actors. The article likely provides details on the specific vulnerabilities found in Roundcube and offers recommendations for users to protect themselves from potential attacks. → cyberpress.org |
| 2025-12-19 2025 | New Kibana Vulnerabilities Allow Attackers to Embed Malicious Scripts news | New vulnerabilities in Kibana allow attackers to insert malicious scripts. This poses a security risk as attackers can potentially execute harmful actions through these scripts. It is important for users of Kibana to be aware of these vulnerabilities and take necessary precautions to prevent unauthorized access and protect their systems from potential attacks. Regularly updating Kibana and implementing security best practices can help mitigate the risk of exploitation through these vulnerabilities. → gbhackers.com |
| 2025-12-19 2025 | Roundcube Vulnerabilities Allow Attackers to Execute Malicious Scripts news | The content discusses vulnerabilities in Roundcube, an open-source webmail software, that enable attackers to execute malicious scripts. These vulnerabilities pose a security risk by allowing unauthorized individuals to run harmful code on affected systems. It highlights the importance of promptly addressing such vulnerabilities to prevent potential cyber attacks and protect sensitive data. → cybersecuritynews.com |
| 2025-12-18 2025 | DeepChat AI agent XSS-to-RCE via Mermaid and Electron IPC news | Writeup detailing CVE-2025-67744, a critical remote code execution vulnerability in DeepChat AI agent versions prior to 0.5.3. Exploiting a combination of unsafe Mermaid diagram rendering and direct Electron IPC exposure in the renderer context, an attacker can escalate from injected JavaScript to arbitrary command execution. This vulnerability highlights emerging risks in AI-driven desktop applications that ingest and render untrusted content. → securityboulevard.com |
| 2025-12-17 2025 | JS-Tap: Weaponizing JavaScript for Red Teams🔴 advanced | https://t.co/m2sW71WuH0 |
| 2025-12-16 2025 | From honeypot to CISA's KEV list: Why a "medium" XSS in ScadaBR became a critical priority in ICS/OT news | Analysis of CVE-2021-26829, a Stored XSS vulnerability in ScadaBR, reveals how a medium-severity flaw, combined with default credentials and internet exposure, led to its inclusion in CISA's KEV catalog. This incident highlights the critical operational risk posed by exploited ICS/OT vulnerabilities, even those with historically low CVSS scores, underscoring the need for risk-focused patch management and urgent review of exposed HMI systems. |
| 2025-12-16 2025 | XSS remains as top MITRE software weakness news | Analysis of MITRE's updated Common Weakness Enumeration Top 25 reveals cross-site scripting (XSS) as the leading software weakness for the second consecutive year. SQL injection and cross-site request forgery have climbed to second and third place respectively. New additions include buffer overflows and authorization bypass via user-controlled key, while weaknesses like improper privilege management have been removed. → scworld.com |
| 2025-12-11 2025 | GitLab Patches Multiple Vulnerabilities that Allows Attackers to Trigger XSS and DoS Attack news | GitLab has addressed several vulnerabilities that could be exploited by attackers to launch cross-site scripting (XSS) and denial of service (DoS) attacks. By patching these vulnerabilities, GitLab aims to enhance the security of its platform and protect users from potential exploitation. It is crucial for users to update their GitLab installations to the latest version to mitigate the risks associated with these vulnerabilities. → cybersecuritynews.com |
| 2025-12-11 2025 | CVE-2025-10573: Ivanti EPM Unauth Stored XSS Fixed news | Writeup on CVE-2025-10573 details an unauthenticated stored cross-site scripting vulnerability in Ivanti Endpoint Manager (EPM). An attacker can inject malicious JavaScript via crafted POST requests to `postcgi.exe`, leading to session hijacking when displayed in the management console. The vulnerability, tracked as CVE-2025-10573 with a CVSS score of 9.6, is addressed by Ivanti EPM version 2024 SU4 SR1. The writeup includes an attack narrative and regression test script using `curl` to demonstrate the exploitation and expected SIEM alert generation. |
| 2025-12-10 2025 | Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS news | A critical vulnerability in Ivanti Endpoint Manager (EPM) allows attackers to hijack admin sessions through stored cross-site scripting (XSS). This flaw could be exploited by malicious actors to take control of administrative sessions, posing a significant security risk. Organizations using Ivanti EPM should address this vulnerability promptly to prevent unauthorized access and potential data breaches. → cybersecuritynews.com |
| 2025-12-10 2025 | Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS news | The content discusses a critical vulnerability in Ivanti EPM that enables admin session hijacking through stored XSS attacks. This flaw poses a significant security risk as it allows attackers to take control of admin sessions. The vulnerability highlights the importance of promptly addressing and patching such security issues to prevent unauthorized access and potential data breaches. Organizations using Ivanti EPM are advised to be aware of this vulnerability and take necessary precautions to mitigate the risk of exploitation. → cyberpress.org |
| 2025-12-03 2025 | Angular Platform Vulnerability Allows Malicious Code Execution Via Weaponized SVG Animation Files news | A vulnerability in the Angular platform enables malicious code execution through weaponized SVG animation files. This flaw allows attackers to embed harmful code within SVG files, potentially leading to security breaches. Organizations using Angular should be cautious when handling SVG files to prevent exploitation of this vulnerability. Vigilance and prompt updates are recommended to mitigate the risk of malicious code execution through this vector. → cybersecuritynews.com |
| 2025-12-03 2025 | Angular Platform Vulnerability Allows Malicious Code Execution via Weaponized SVG Animation Files news | The content discusses a vulnerability in the Angular platform that enables malicious code execution through weaponized SVG animation files. This vulnerability poses a risk as attackers can exploit it to execute harmful code on affected systems. It highlights the importance of being cautious when handling SVG files to prevent potential security breaches and emphasizes the need for timely updates and patches to mitigate such risks. → cyberpress.org |
| 2025-12-02 2025 | Old OpenPLC ScadaBR flaw added to CISA KEV after hacktivist attack news | Library that helps secure SCADA systems, focusing on the CVE-2021-26829 vulnerability in OpenPLC ScadaBR. This medium-severity cross-site scripting flaw, actively exploited by hacktivists, has been added to CISA's Known Exploited Vulnerabilities catalog, necessitating remediation by federal agencies. The vulnerability has been observed targeting industrial control systems, as demonstrated by its use against a water treatment facility honeypot. → scworld.com |
| 2025-12-02 2025 | Entra ID tightens security against XSS attacks intermediate | Library update enhancing Entra ID security against XSS attacks. Microsoft is restricting script execution during login to only those from trusted Microsoft domains, mitigating account hijacking risks via cross-site scripting. This change, implemented through Content Security Policy headers, aligns with the Secure Future Initiative and addresses a persistent threat, as evidenced by Microsoft's mitigation of nearly 1,000 XSS vulnerabilities. Organizations should test their sign-in integrations for compatibility. → scworld.com |
| 2025-11-30 2025 | CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV news | Library for securing OpenPLC ScadaBR, addressing CVE-2021-26829 (XSS) and CVE-2021-26828 (unrestricted file upload), both listed on CISA's Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by groups like TwoNet. These vulnerabilities impact Windows and Linux versions, with exploitation involving defacing HMI pages, disabling logs, and uploading web shells. The article also details Out-of-Band Application Security Testing (OAST) infrastructure used to fuel regional exploit operations. → thehackernews.com |
| 2025-11-29 2025 | CISA Warns of OpenPLC ScadaBR cross-site scripting vulnerability Exploited in Attacks news | The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a cross-site scripting vulnerability in OpenPLC ScadaBR that is being exploited in attacks. This vulnerability poses a security risk and has been actively targeted by malicious actors. Organizations using OpenPLC ScadaBR are advised to take immediate action to address this vulnerability to prevent potential exploitation and protect their systems from cyber threats. → cybersecuritynews.com |
| 2025-11-27 2025 | Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks news | A vulnerability in Apache SkyWalking allows attackers to carry out Cross-Site Scripting (XSS) attacks. This flaw can be exploited by malicious actors to inject and execute malicious scripts on web pages viewed by users, potentially leading to unauthorized data access or manipulation. Organizations using Apache SkyWalking should be aware of this security issue and take necessary precautions to mitigate the risk of XSS attacks. Regularly updating software and implementing security best practices can help protect against such vulnerabilities. → gbhackers.com |
| 2025-11-27 2025 | Apache SkyWalking Vulnerability Lets Attackers Expose Users to XSS Attacks news | The content discusses a vulnerability in Apache SkyWalking that allows attackers to expose users to cross-site scripting (XSS) attacks. This vulnerability could potentially be exploited by malicious actors to compromise user data and security. It emphasizes the importance of addressing this vulnerability promptly to prevent exploitation and protect users from potential XSS attacks. → cyberpress.org |
| 2025-11-26 2025 | Paris The Thinker and why your WAF should block XSS by default beginner | Library that advocates for blocking Cross-Site Scripting (XSS) by default in Web Application Firewalls (WAFs), aligning with the OWASP Top 10's emphasis on injection risks. It highlights the ineffectiveness of alert-only modes and the severe consequences of missed XSS vulnerabilities, including account takeover and application compromise. The library promotes Imperva's WAF, which offers out-of-the-box XSS blocking through a combination of signature and behavior-based detections, reducing dwell time for opportunistic attacks and accelerating mean time to protection. → securityboulevard.com |
| 2025-11-18 2025 | NDSS 2025 - EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search advanced | Paper on EvoCrawl, a web crawler utilizing evolutionary search to explore web application code and state, outperforming state-of-the-art scanners with a 59% increase in code coverage and 5x more successful form submissions. EvoCrawl's ability to reach specific application states enabled the discovery of eight zero-day IDOR and XSS vulnerabilities in WordPress, HotCRP, Kanboard, ImpressCMS, and GitLab. → securityboulevard.com |
| 2025-11-16 2025 | Cross-Site Scripting Vulnerability Discovered in Citrix NetScaler ADC and Gateway news | A Cross-Site Scripting (XSS) vulnerability has been found in Citrix NetScaler ADC and Gateway. The vulnerability could potentially allow attackers to execute malicious scripts on users' browsers when visiting compromised websites. This poses a security risk to organizations using these Citrix products. It is crucial for users to be aware of this vulnerability and take necessary precautions to mitigate the risk of exploitation. For more detailed information, refer to the original source at cyberpress.org. → cyberpress.org |
| 2025-11-13 2025 | Multiple GitLab Vulnerabilities Let Attackers Inject Malicious Prompts to Steal Sensitive Data news | Multiple vulnerabilities in GitLab allow attackers to inject malicious prompts, potentially leading to the theft of sensitive data. These vulnerabilities could be exploited by attackers to compromise security and access valuable information. It is crucial for GitLab users to stay informed about these vulnerabilities and take necessary precautions to protect their data and systems from potential attacks. → cybersecuritynews.com |
| 2025-11-13 2025 | Multiple GitLab Vulnerabilities Allow Malicious Prompt Injection and Data Theft news | The article discusses multiple vulnerabilities in GitLab that enable malicious prompt injection and data theft. These vulnerabilities pose a security risk to users of GitLab, potentially allowing attackers to inject malicious prompts and steal sensitive data. It highlights the importance of addressing these vulnerabilities promptly to prevent potential security breaches and protect user data. → cyberpress.org |
| 2025-11-13 2025 | Kibana Vulnerabilities Expose Systems to SSRF and XSS Attacks news | Kibana, a data visualization tool, has vulnerabilities that can lead to Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) attacks. These vulnerabilities expose systems to potential security risks. It is crucial for users of Kibana to be aware of these vulnerabilities and take necessary steps to mitigate the risks associated with SSRF and XSS attacks. → gbhackers.com |
| 2025-11-13 2025 | Citrix NetScaler ADC and Gateway Flaw Allows Cross-Site Scripting (XSS) Attacks news | A vulnerability in Citrix NetScaler ADC and Gateway allows for Cross-Site Scripting (XSS) attacks. This flaw can be exploited by attackers to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized access, data theft, or other security risks. Organizations using these Citrix products should be aware of this vulnerability and take necessary steps to mitigate the risk, such as applying patches or implementing security measures to prevent XSS attacks. → gbhackers.com |
| 2025-11-12 2025 | Citrix NetScaler ADC and Gateway Vulnerability Enables Cross-Site Scripting Attacks news | A vulnerability in Citrix NetScaler ADC and Gateway allows for Cross-Site Scripting (XSS) attacks. This flaw can be exploited by attackers to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized access or data theft. Organizations using these Citrix products should be aware of this security risk and take necessary precautions to mitigate the threat. Regularly updating software, implementing security patches, and monitoring network traffic for suspicious activity are recommended to protect against XSS attacks. → cybersecuritynews.com |
| 2025-11-12 2025 | Is It CitrixBleed4? Well No. Is It Good? Also No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) news | Writeup detailing CVE-2025-12101, a reflected XSS vulnerability found in Citrix NetScaler's SAML RelayState parameter. The analysis also covers an undocumented memory leak (WT-2025-0089) triggered by a specific AAA virtual server misconfiguration, noting the ongoing fragility of memory management in these appliances. |
| 2025-11-12 2025 | Nagios XSS Flaw Allows Remote Execution of Arbitrary JavaScript news | The article discusses a cross-site scripting (XSS) vulnerability in Nagios, a popular IT infrastructure monitoring tool. This flaw could potentially allow attackers to execute arbitrary JavaScript code remotely. The vulnerability poses a security risk to systems using Nagios, as it could be exploited to carry out malicious activities. It is important for Nagios users to be aware of this issue and take necessary precautions to prevent unauthorized access and potential attacks. → cyberpress.org |
| 2025-11-10 2025 | CVE-2025-31029 Impact Exploitability and Mitigation Steps news | Writeup detailing CVE-2025-31029, an impact exploitability and mitigation analysis. This community-led vulnerability database entry provides insights into a critical cloud security issue, enabling users to evaluate their practices across nine security domains and identify defensive gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2024-13992 Impact Exploitability and Mitigation Steps news | Writeup of CVE-2024-13992, detailing its impact, exploitability, and mitigation steps. This analysis focuses on a cloud vulnerability, offering insights relevant to assessing and strengthening cloud security practices. → wiz.io |
| 2025-11-10 2025 | CVE-2013-10074 Impact Exploitability and Mitigation Steps news | Reference for CVE-2013-10074, detailing its impact, exploitability, and mitigation steps. This vulnerability, documented within the Wiz Cloud Vulnerability Database, highlights potential gaps in cloud security practices. The database aims to provide a community-led resource for understanding and addressing cloud-based threats, offering insights beyond basic security domain assessments. → wiz.io |
| 2025-11-10 2025 | CVE-2024-13993 Impact Exploitability and Mitigation Steps news | Library for identifying and mitigating CVE-2024-13993, a cloud vulnerability. This resource offers detailed analysis, exploitability insights, and practical mitigation steps to safeguard cloud environments against this specific threat. It enables users to assess their security practices and identify defensive gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2018-25119 Impact Exploitability and Mitigation Steps news | Analysis of CVE-2018-25119 details its impact, exploitability, and mitigation steps for cloud security. The Wiz vulnerability database offers free assessments to evaluate cloud security practices across nine domains, identifying defense gaps and benchmarking risk levels, aiming to provide full visibility into cloud workloads. → wiz.io |
| 2025-11-10 2025 | CVE-2021-47689 Impact Exploitability and Mitigation Steps news | Library for understanding CVE-2021-47689, detailing its impact, exploitability, and mitigation steps. This resource focuses on this specific cloud vulnerability, offering insights into how it can be leveraged and how to defend against it. It aims to empower users with the knowledge to assess and address security gaps within their cloud environments. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62076 Impact Exploitability and Mitigation Steps news | Library for researching CVE-2025-62076, detailing its impact, exploitability, and mitigation steps. The entry offers a free vulnerability assessment across nine security domains to benchmark cloud security practices and identify defense gaps. Wiz.io provides this community-led database entry, highlighting its utility for understanding and addressing cloud security vulnerabilities. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62030 Impact Exploitability and Mitigation Steps news | Reference detailing CVE-2025-62030, outlining its impact and exploitability. This entry provides mitigation steps and is part of a community-led vulnerabilities database, offering free assessment across nine security domains to benchmark risk and identify defense gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2025-59556 Impact Exploitability and Mitigation Steps news | Analysis of CVE-2025-59556 details its impact and exploitability within cloud environments. This entry also provides actionable mitigation steps to secure against this specific vulnerability, allowing organizations to assess and improve their cloud security practices across multiple domains and identify potential defense gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62036 Impact Exploitability and Mitigation Steps news | Library for discovering and mitigating CVE-2025-62036 in cloud environments. This resource details the impact and exploitability of the vulnerability, offering practical mitigation steps to secure cloud workloads. It emphasizes achieving full visibility and identifying critical security gaps within cloud infrastructure. → wiz.io |
| 2025-11-07 2025 | NDSS 2025 - YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4 advanced | Tool for task-driven web application scanning, YuraScanner, leverages LLMs to autonomously execute tasks and discover deeper application states. It bridges the semantic gap through goal-based agents and extracts semantic information from webpages, making it web application-agnostic. YuraScanner utilizes the XSS engine of Black Widow to test input points, outperforming traditional scanners by identifying new attack surfaces and significantly improving vulnerability detection, as evidenced by the discovery of 12 zero-day XSS vulnerabilities compared to Black Widow's three. → securityboulevard.com |
| 2025-11-06 2025 | CVE-2025-31366 Impact Exploitability and Mitigation Steps news | Library for evaluating cloud security practices, this resource details CVE-2025-31366. It assesses risk levels across nine security domains, identifies defense gaps, and offers a free vulnerability assessment. The database aims to provide full visibility to cloud workloads and validate critical findings. → wiz.io |
| 2025-10-30 2025 | Reflected XSS Flaw Enables Attackers to Evade Amazon CloudFront Protection Using Safari intermediate | A reflected XSS flaw has been identified that allows attackers to bypass Amazon CloudFront protection when using Safari. This vulnerability poses a risk as it enables attackers to execute malicious scripts on websites, potentially compromising user data and security. It highlights the importance of staying vigilant against such vulnerabilities and regularly updating security measures to protect against cyber threats. → gbhackers.com |
| 2025-10-29 2025 | Wordpress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack news | A vulnerability in a WordPress plugin has put 7 million websites at risk of cross-site scripting (XSS) attacks. The flaw allows attackers to inject malicious code into websites using the vulnerable plugin, potentially leading to data theft or site compromise. Website owners are advised to update the plugin to the latest version to mitigate the risk of exploitation. → cybersecuritynews.com |
| 2025-10-27 2025 | Zimbra ZCS Flaw CVE-2025-27915 Actively Exploited news | Writeup of CVE-2025-27915, an actively exploited cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic Web Client. The flaw arises from insufficient HTML sanitization of iCalendar files, allowing embedded JavaScript in the `ontoggle` attribute to execute within a user's session when a crafted invite is opened. This grants attackers account access for activities like email redirection and data exfiltration. CISA has added it to its Known Exploited Vulnerabilities catalog and urges immediate patching or, if unavailable, disabling the Classic Web Client. The vulnerability is categorized under CWE-79. → thecyberexpress.com |
| 2025-10-27 2025 | Understanding the Threat of XSS (Cross-Site Scripting) beginner | Survey of XSS (Cross-Site Scripting) vulnerabilities, detailing how malicious client-side scripts are injected into web pages. It covers Reflected, Stored, and DOM-Based XSS types, their impact including data theft and account compromise, and mitigation strategies like input validation, output encoding, and regular security audits. Notable attacks like those against British Airways and T-Mobile are mentioned as examples of their significant consequences. |
| 2025-10-26 2025 | Multiple GitLab Flaws Could Allow Account Takeover and Stored XSS Attacks news | The article discusses multiple vulnerabilities in GitLab that could lead to account takeover and stored cross-site scripting (XSS) attacks. These flaws pose security risks for GitLab users, potentially allowing malicious actors to compromise accounts and execute harmful scripts. It emphasizes the importance of promptly addressing these vulnerabilities to prevent unauthorized access and protect sensitive data within the GitLab platform. → cyberpress.org |
| 2025-10-25 2025 | CISA Warns of Zimbra Collaboration Suite (ZCS) XSS Zero-Day Vulnerability Actively Exploited in Attacks news | The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) that is being actively exploited in attacks. The vulnerability involves cross-site scripting (XSS) and poses a significant risk to users of ZCS. Organizations using ZCS are advised to take immediate action to mitigate the threat posed by this exploit. → cybersecuritynews.com |
| 2025-10-24 2025 | The XSS Threat Isnt Going Away beginner | The article discusses the persistent threat of Cross-Site Scripting (XSS) attacks in the digital landscape. Despite advancements in security measures, XSS vulnerabilities remain prevalent and pose a significant risk to web applications. The article emphasizes the importance of continued vigilance and proactive measures to mitigate XSS threats effectively. |
| 2025-10-24 2025 | Law Enforcement Cracks Down on XSS but Will It Last? news | Law enforcement is increasing efforts to combat Cross-Site Scripting (XSS) attacks. The effectiveness and longevity of these crackdowns are questioned. → darkreading.com |
| 2025-10-08 2025 | The Brute Art of Bypass - Unfiltered Edition: Master XSS Filter Evasion intermediate | Library for bypassing XSS filters and WAFs, detailing systematic probing, backwards and onwards mapping, exploiting post-filter modifications, encoding variations, and keyword fragmentation. Techniques include mixing JavaScript encodings with HTML entities, moving payloads into DOM text, breaking filter context with comment-newline combos, and exploiting regex flaws. It covers methods like character mutation, HTTP Parameter Pollution, tag blending, and HTML vector bypasses, providing explanations for why each technique works against vendors like CloudFlare, Akamai, Imperva, and Fortinet. |
| 2025-08-14 2025 | Cross Site Scripting (XSS) | OWASP Foundation beginner | Reference on Cross-Site Scripting (XSS) attacks, detailing how malicious scripts are injected into trusted websites through unvalidated user input. It categorizes attacks into Reflected, Stored, and DOM-Based XSS, outlines consequences like session hijacking and content manipulation, and points to OWASP resources like the XSS Prevention Cheat Sheet and the OWASP ESAPI project for mitigation techniques. The reference also mentions tools such as Nessus and Nikto for vulnerability scanning. → owasp.org |
| 2025-08-14 2025 | Find SSRF , LFI , XSS using httpx , waybackurls , gf , gau , qsreplace intermediate SSRF | The content discusses utilizing tools like httpx, waybackurls, gf, gau, and qsreplace to identify vulnerabilities such as Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and Cross-Site Scripting (XSS) in web applications. These tools can help security professionals identify and address these common security issues by scanning for them in web applications. |
| 2025-08-14 2025 | How I Found Multiple XSS Vulnerabilities Using Unknown Techniques advanced | The content discusses the discovery of multiple XSS vulnerabilities through the use of undisclosed techniques. It implies that the author has found a method to identify and exploit these vulnerabilities, potentially showcasing a unique approach to uncovering security flaws. The focus is on the process of discovering XSS vulnerabilities rather than detailing specific techniques or findings. → infosecwriteups.com |
| 2025-08-14 2025 | Hunting Blind XSS on the Large Scale — Practical Techniques intermediate | Technique for large-scale Blind XSS detection, focusing on identifying vulnerable endpoints through tools like `waymore` and Google Dorking. The methodology involves gathering potential URLs from sources such as the Wayback Machine, filtering them for keywords like "feedback" or "support," and then fuzzing these endpoints with specific payloads designed to bypass WAFs. This approach aids in systematically hunting for Blind XSS vulnerabilities across numerous targets. |
| 2025-08-14 2025 | Mass Hunting Blind XSS Using XSSHunter Express Part 1 intermediate | Tool for mass hunting Blind XSS vulnerabilities using XSSHunter Express. This guide details setting up a custom Blind XSS framework with a purchased domain and VPS, covering domain selection, VPS preparation on DigitalOcean, and XSSHunter Express installation via Docker. It also explains how to add custom JavaScript to the server to expedite vulnerability triage, mentioning the use of short domain names and compact payloads as key strategies for effective hunting. |
| 2025-08-14 2025 | A Bunch of Web and XSS Challenges beginner | Reference detailing web and XSS challenges, including techniques like copy-paste XSS with AngularJS and connection pooling to delay script loading. It explores exploiting uncommon Content-Type headers such as `text/x,image/gif` and `multipart/mixed` for XSS, and bypassing DOMPurify via `<title>` tag injection and DOM clobbering. The entry also covers leveraging Chrome DevTools Protocol (CDP) and headless mode downloads to achieve XSS and read local files. |
| 2025-08-14 2025 | JS-Tap: Weaponizing JavaScript for Red Teams intermediate | Library for red teamers weaponizing JavaScript to attack applications with unknown functionality. JS-Tap provides a generic, unauthenticated payload that instruments the client side, collecting data like IP addresses, OS, browser, typed inputs, URLs visited, cookies, local/session storage, HTML, screenshots, and XHR/Fetch API calls. It operates in "Trap Mode" using an iframe to maintain persistence, or "Implant Mode" by injecting into application JavaScript files. Collected data is accessible via a web-based portal for monitoring and analysis. |
| 2025-08-14 2025 | NucleiFuzzer - Powerful Automation Tool For Detecting XSS, SQLi, SSRF, Open intermediate Fuzzing SQLi SSRF | NucleiFuzzer is an automation tool designed to detect vulnerabilities such as XSS, SQL injection (SQLi), Server-Side Request Forgery (SSRF), and Open. It is a powerful tool that can automate the process of identifying these security issues in web applications. → kitploit.com |
| 2025-08-14 2025 | devanshbatham/Vulnerabilities-Unmasked beginner CSRF IDOR | Library of analogies simplifying complex security vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, ClickJacking, Subdomain Takeover, Privilege Escalation, Role-Based Access Control (RBAC) vulnerabilities, Server-Side Request Forgery (SSRF), Vulnerable and Outdated Components, Local File Inclusion (LFI), Denial of Service (DOS), Authentication Bypass, Insecure Direct Object Reference (IDOR), 2FA Bypass, and Race Condition Vulnerability. |
| 2025-08-14 2025 | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters | by Security L intermediate | The content titled "Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters" by Security L provides detailed information and guidance on mastering Cross-Site Scripting (XSS) for individuals participating in bug bounty programs. It aims to help bug bounty hunters understand and effectively exploit XSS vulnerabilities to enhance their skills in identifying and reporting security issues. The guide likely covers various aspects of XSS attacks, techniques, prevention methods, and practical examples to equip readers with the knowledge needed to excel in finding and addressing XSS vulnerabilities in web applications. → infosecwriteups.com |
| 2025-08-14 2025 | https://infosecwriteups.com/bypassing-character-limit-xss-using-spanned-payload-7301ffac226e intermediate | The content discusses a technique to bypass character limits in Cross-Site Scripting (XSS) attacks using a spanned payload. By breaking the payload into smaller parts and using HTML span tags, attackers can evade character restrictions imposed by input fields, allowing them to execute malicious scripts on vulnerable websites. This method enables the injection of longer payloads while avoiding detection, making it a valuable tool for attackers seeking to exploit XSS vulnerabilities. → infosecwriteups.com |
| 2025-08-14 2025 | https://thegrayarea.tech/xss-bypass-for-rich-text-editors-bf5592e555d6 intermediate | The content discusses a method to bypass cross-site scripting (XSS) protections in rich text editors. It explains how attackers can exploit vulnerabilities in these editors to execute malicious scripts. By manipulating the editor's features, attackers can inject harmful code and potentially compromise user data. The article highlights the importance of understanding and mitigating XSS vulnerabilities in web applications, especially those using rich text editors. It serves as a warning to developers to implement proper security measures to prevent such attacks and protect user information. |
| 2025-08-14 2025 | https://heli9.com/reflected-xss/ beginner | The content provided is a link to a webpage discussing Reflected Cross-Site Scripting (XSS) attacks. Reflected XSS occurs when malicious code is injected into a website and then reflected back to the user. This type of attack can be used to steal sensitive information or perform unauthorized actions on behalf of the user. The webpage likely covers how to prevent and mitigate Reflected XSS attacks to protect websites and users from potential security risks. For more detailed information, it is recommended to visit the provided link. |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ intermediate RCE SQLi | Survey of application security articles, threads, videos, and tools, highlighting Facebook Reels crop feature bounty, Zoom stored XSS, Facebook zero-click account takeover, io_uring UAF vulnerability (CVE-2022-2602), Apple open redirection, GraphQL pentesting, social engineering guides, insecure CORS, bug bounty automation, smart contract vulnerabilities, mental health for hackers, HTTP Basic Auth, SQL Injection RCE (CVE-2022-44015), RFC analysis, MMORPG CTF challenge, CodeQL for GraphQL, reconnaissance techniques, SSRF deep dives, and EVM chain vulnerability testing with Foundry. |
| 2025-08-14 2025 | XSS.Report beginner | The content provided is simply the title "XSS.Report." It appears to be a reference to cross-site scripting (XSS) vulnerabilities and reporting related to them. The content is concise and does not provide any additional information or context beyond the title itself. |
| 2025-08-14 2025 | https://github.com/yeswehack/vulnerable-code-snippets beginner SQLi SSRF | Library of vulnerable code snippets for practicing application security analysis, featuring common vulnerabilities such as Broken Access Control (CWE-284), SQL Injection (CWE-89), Cross-Site Scripting (CWE-79), Server-Side Template Injection (CWE-1336), and Deserialization of Untrusted Data (CWE-502). Each snippet includes a Docker setup for safe, isolated execution, with new examples posted weekly on Twitter. |
| 2025-08-14 2025 | https://portswigger.net/research/our-favourite-community-contributions-to-the-xss-cheat-sheet beginner | Reference highlights seven community contributions to the XSS cheat sheet, including @hahwul's missing pointer events, @p4fg's Vue `v-if` vector, @NotSoSecure's AngularJS restriction bypass, @kachakil's AngularJS fix, @davwwwx's attribute injection, @laytonctf's `onbeforeinput` event, and @ladecruze's top-ranked payload using `location`, `atob`, and tagged template strings, with variants utilizing `unescape` and `String.fromCodePoint`. → portswigger.net |
| 2025-08-14 2025 | https://medium.com/bugbountywriteup/chaining-self-xss-with-ui-redressing-is-leading-to-session-hijacking-pwn-users-like-a-boss-efb46249cd14?source=userActivityShare-90814179aa21-1524844320 intermediate | The content discusses a security vulnerability involving chaining self-cross-site scripting (XSS) with UI redressing, leading to session hijacking. By exploiting this vulnerability, attackers can manipulate user interfaces to trick users into performing actions that compromise their accounts. The article details how this technique can be used to gain unauthorized access to user sessions and provides insights on how to prevent such attacks. |
| 2025-08-14 2025 | https://medium.com/@yassergersy/xss-to-session-hijack-6039e11e6a81?source=userActivityShare-90814179aa21-1523676165 intermediate | The content discusses how a Cross-Site Scripting (XSS) vulnerability can be exploited to hijack user sessions. It explains the process of injecting malicious scripts into a website to steal session cookies, allowing an attacker to impersonate the victim. The article emphasizes the importance of preventing XSS attacks through proper input validation and output encoding. It also highlights the significance of using secure coding practices to protect against session hijacking and other security threats. |
| 2025-08-14 2025 | ssl/ezXSS: ezXSS is an easy way for penetration testers and bug bounty hunt beginner | Tool for testing (blind) Cross-Site Scripting (XSS) vulnerabilities. ezXSS helps penetration testers and bug bounty hunters find and exploit XSS, including persistent sessions with reverse proxy capabilities. It features an easy-to-use dashboard, instant alerts via multiple channels, and collects extensive data from vulnerable pages, supporting all major browsers. |
| 2025-08-14 2025 | Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting beginner | The content is a list of the top 500 most important XSS cheat sheet items for web application pentesting. It likely includes key information and techniques related to cross-site scripting vulnerabilities that can be used by security professionals to test the security of web applications. → gbhackers.com |
| 2025-08-14 2025 | How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords « Null intermediate | Library for crafting XSS cookie stealers in JavaScript, this resource details how to leverage JavaScript's capabilities to exfiltrate user cookies containing sensitive information like passwords. It walks through setting up a basic HTML environment, injecting malicious JavaScript to capture cookies, and utilizing a simple PHP script on a controlled server to log the stolen data. The guide highlights the technique's effectiveness when combined with code injection and explains how to redirect compromised users to avoid suspicion. → null-byte.wonderhowto.com |
| 2025-08-14 2025 | Browser's XSS Filter Bypass Cheat SheetMasatokinugawa / filterbypass wiki intermediate | Library for bypassing browser XSS filters, covering Chrome/Safari and IE11/Edge. It details techniques for exploiting XSS Auditor and IE/Edge XSS filters, including bypassing filters by inserting strings, leveraging character encodings, and exploiting JavaScript execution within various HTML contexts. Specific bypass methods are provided for scenarios involving SVG, XML, Flash, Angular, Vue.js, and jQuery, often requiring arbitrary tag injection and specific conditions related to same-origin policies or CORS. |
| 2025-08-14 2025 | XSSer automated framework to detect, exploit and report XSS vulnerabilities intermediate | XSSer is an automated framework designed to identify, exploit, and report cross-site scripting (XSS) vulnerabilities. It streamlines the process of detecting and exploiting XSS vulnerabilities, making it easier for security professionals to identify and address these issues efficiently. By automating these tasks, XSSer helps enhance the security of web applications by identifying potential vulnerabilities and providing reports on them. → gbhackers.com |
| 2025-08-14 2025 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On Securit intermediate | XSSight is an automated XSS scanner and payload injector featured on GBHackers On Security. It is a tool designed to detect and exploit cross-site scripting vulnerabilities in web applications. XSSight streamlines the process of identifying XSS flaws and injecting payloads to test the security of websites. This tool can help security professionals and ethical hackers in finding and addressing XSS vulnerabilities efficiently. → gbhackers.com |
| 2025-08-14 2025 | https://sql--injection.blogspot.co.uk: XSS Cheat Sheet beginner | Cheat sheet compiling numerous XSS vectors and payloads. It includes examples for triggering alerts via `onclick`, `onload`, `onerror`, and various other event handlers within HTML elements like `<svg>`, `<img>`, `<button>`, and `<input>`. The resource also demonstrates techniques using `data:` URIs, Unicode escapes, and string manipulation for obfuscation. |
| 2025-08-14 2025 | Sniping Insecure Cookies with XSS intermediate | Analysis of an accounting web application reveals how insecure cookie handling, specifically lacking `HttpOnly` and `Secure` flags, combined with a Cross-Site Scripting (XSS) vulnerability, can lead to full account compromise. The session token, implemented as a JSON Web Token (JWT) and stored in a cookie accessible by JavaScript, was susceptible to theft. This enabled an attacker to hijack administrator sessions by capturing the token and potentially manipulating the JWT's user ID if the secret key were weak enough to brute-force. |
| 2025-08-14 2025 | xss-polyglots intermediate | The content provided is a title "xss-polyglots" without any additional information or context. It seems to refer to cross-site scripting (XSS) polyglots, which are payloads that can execute in multiple contexts or languages. The term may relate to security testing, web development, or cybersecurity. |
| 2025-08-14 2025 | qazbnm456/awesome-web-security beginner SSRF | Library of curated web security materials and resources covering techniques for Cross-Site Scripting (XSS), Prototype Pollution, CSV Injection, SQL Injection, Command Injection, XXE, CSRF, SSRF, Web Cache Poisoning, and Open Redirects. It also includes resources on SAML, file uploads, Rails, AngularJS, ReactJS, SSL/TLS, and cloud security specific to AWS and Azure, with mentions of CVE-2019-7609. |
| 2025-08-14 2025 | asp.net - Bypass XSS blacklist "", "&" input nvarchar - Stack Overflow intermediate | Library for bypassing XSS blacklists on ASP.NET applications. This resource details a scenario where a blacklisting approach fails to prevent Cross-Site Scripting, even when character inputs like `<`, `>`, and `&` are blocked. The vulnerability arises because the application stores user input in `nvarchar` fields and later outputs it as JavaScript variables. While the JavaScript encoding escapes characters within the string variables, it does not prevent XSS when these variables are rendered into the HTML. → stackoverflow.com |
| 2025-08-14 2025 | tunz/js-vuln-db: A collection of JavaScript engine CVEs with PoCs advanced | "tunz/js-vuln-db" is a repository that contains a collection of Common Vulnerabilities and Exposures (CVEs) related to JavaScript engines, along with Proof of Concepts (PoCs). This resource is likely designed to provide a centralized location for researchers and developers to access information about vulnerabilities in JavaScript engines and explore practical demonstrations of these vulnerabilities. |
| 2025-08-14 2025 | Uber Bug Bounty: Turning Self-XSS into Good-XSS – Jack Whitton intermediate | Writeup detailing the exploitation of a self-XSS vulnerability on Uber's Partners portal. The author demonstrates chaining this self-XSS with two CSRF vulnerabilities in Uber's OAuth login and logout flows. This chain allows an attacker to log a victim out of their Uber Partners session, log them into the attacker's account, execute malicious JavaScript in the victim's context, and then log them back into their own account, all while maintaining an active session for data exfiltration. The technique leverages Content Security Policy (CSP) to selectively block redirects and facilitate the cross-account session manipulation. |
| 2025-08-14 2025 | Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability C intermediate | Library for detecting and exploiting Cross-Site Script Inclusion (XSSI) vulnerabilities, which are often overlooked but can lead to sensitive data leakage, circumvention of token-based protection, and account compromise. The library aids penetration testers by identifying dynamic JavaScript and JavaScript accessible only when authenticated. It analyzes scripts, compares content before and after cookie removal, and highlights discrepancies, assisting in the discovery of vulnerabilities like those involving ambient-authority information in JSONP or sensitive data within global variables. |
| 2025-08-14 2025 | Respect XSS beginner | Writeup detailing a cross-site scripting (XSS) vulnerability affecting both SharePoint on-premises and online versions. This vulnerability, which earned a $2500 bounty, is triggered by manipulating the `SiteName` GET parameter within the "Follow Site" feature, allowing for payloads like `-confirm(document.domain)-` to be injected. The writeup includes exploitation examples and a timeline of the vulnerability's reporting and resolution by Microsoft. |
| 2025-08-14 2025 | The misunderstood X-XSS-Protection beginner | The content seems to focus on the X-XSS-Protection header, which is a security feature designed to mitigate cross-site scripting (XSS) attacks on websites. However, the content itself is very brief and lacks specific details or explanations about the misunderstood aspects of the X-XSS-Protection header. It suggests that there may be misconceptions or confusion surrounding this security measure. |
| 2025-08-14 2025 | XSS Hunter beginner | XSS Hunter is a tool used for detecting cross-site scripting (XSS) vulnerabilities in web applications. It helps security professionals identify and remediate XSS vulnerabilities by simulating attacks and capturing exploit attempts. XSS Hunter assists in understanding how attackers can exploit XSS vulnerabilities and provides insights into potential security weaknesses in web applications. By using XSS Hunter, security teams can proactively address XSS vulnerabilities and enhance the overall security posture of their web applications. |
| 2025-08-14 2025 | XSS without HTML: Client-Side Template Injection with AngularJS : netsec advanced | The content discusses a security vulnerability known as Client-Side Template Injection with AngularJS, which can lead to cross-site scripting (XSS) attacks without the use of traditional HTML. This type of vulnerability allows attackers to inject malicious templates into AngularJS applications, potentially compromising user data and security. The article likely delves into the technical details and implications of this security issue within the context of web development and security. |
| 2025-08-14 2025 | Cross Site Scripting Payloads ≈ Packet Storm beginner | Library of Cross-Site Scripting (XSS) payloads hosted on Packet Storm Security, offering a collection of common and less common injection strings. Users access this resource by agreeing to terms that govern intellectual property, user representations, prohibited activities, and data usage, with provisions for user-generated contributions and the site's proprietary content. |
| 2025-08-14 2025 | How I Stole Plunker Session Tokens With Angular Expressions intermediate | Writeup detailing an Angular Expression Injection vulnerability in Plunker, allowing for Plunker session token theft. The exploit leverages user input within the Twitter title meta tag, which is then evaluated by AngularJS, to steal session IDs by embedding them in image tags that send requests to a controlled server. The vulnerability was quickly patched by adding `ng-non-bindable` to the meta tag. |
| 2025-08-14 2025 | XSS Payloads beginner | The content provided is a brief mention of "XSS Payloads." This likely refers to malicious code or scripts that are used in cross-site scripting (XSS) attacks. XSS payloads are designed to exploit vulnerabilities in web applications, allowing attackers to inject and execute their own code on a targeted website. These payloads can be used to steal sensitive information, manipulate content, or perform other malicious actions. It is important for web developers and security professionals to be aware of XSS payloads and implement measures to prevent such attacks. |
| 2025-08-14 2025 | web application - Cross Site Scripting without special chars - Information intermediate | Technique for bypassing XSS filters that disallow equals signs and parentheses involves injecting null bytes (`%00`) to break string recognition and finding single-character bypasses within a restricted character set ({ : / & @ - < > \ . , ' " }). This method aims to execute JavaScript when traditional injection vectors are blocked, especially when filters lack character conversion. |
| 2025-08-14 2025 | mandatoryprogrammer/xssless: An automated XSS payload generator written in intermediate | Tool for automated XSS payload generation. This Python script utilizes Burp proxy exports to create asynchronous, browser-friendly payloads. It supports CSRF token extraction, multipart POST requests, file uploads, and dynamic, self-propagating payloads for creating JavaScript worms. Payloads are optimized but recommend further minimization. |
| 2025-08-14 2025 | Collection of Cross-Site Scripting (XSS) Payloads ~ SmeegeSec beginner | Collection of 298 Cross-Site Scripting (XSS) payloads, including HTML5 specific examples, suitable for fuzzing applications for reflective and persistent vulnerabilities. This resource can be used as a reference list or integrated into tools like Burp Intruder for payload submission. Payloads cover various injection techniques, including those using `javascript:`, `<script>`, `<svg>`, `<style>`, and `expression()` properties. |
| 2025-08-14 2025 | Excess XSS: A comprehensive tutorial on cross-site scripting beginner | Tutorial detailing Cross-Site Scripting (XSS) attacks, explaining how attackers inject malicious JavaScript into websites to compromise user browsers. It covers the three main XSS types: Persistent XSS originating from the database, Reflected XSS from user requests, and DOM-based XSS exploiting client-side code. The tutorial illustrates techniques like session cookie theft via `document.cookie`, keystroke logging with `addEventListener`, and credential harvesting through fake login forms. |
| 2025-08-14 2025 | What is Cross-site Scripting and How Can You Fix it? beginner | Guide to Cross-Site Scripting (XSS) explaining how attackers inject malicious scripts into legitimate web pages to execute code in a victim's browser. It details risks like cookie theft, website defacement, and advanced attacks such as phishing and identity theft. The guide categorizes XSS into stored, reflected, and DOM-based types, illustrating how vulnerabilities arise from unsanitized user input and providing examples of attack vectors, including using the `<script>` tag and manipulating `XMLHttpRequest`. → acunetix.com |
| 2025-08-14 2025 | www.vulnerability-lab.com/resources/documents/531.txt beginner | The content provided is a URL link to a text document hosted on the vulnerability-lab website. The document itself is not included in the request, so the specific information it contains is unknown. It is important to exercise caution when accessing such links, as they may contain sensitive or potentially harmful information related to vulnerabilities or security issues. |
| 2025-08-14 2025 | HTML5 Security CheatsheetWhat your browser does when you look away... intermediate | The content seems to be about HTML5 security and what happens when a user is not actively looking at their browser. It likely discusses potential security risks or actions that browsers may take in the background related to HTML5 technology. |
| 2025-08-14 2025 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP beginner | Reference detailing XSS prevention techniques, emphasizing the necessity of combining defensive measures. It highlights how modern frameworks like React and Angular mitigate XSS through templating and auto-escaping, yet points out potential vulnerabilities when these frameworks are used insecurely, such as with React's `dangerouslySetInnerHTML` or Angular's `bypassSecurityTrustAs*` functions. The guide stresses the importance of output encoding, including HTML entity, attribute, JavaScript, CSS, and URL encoding, with specific advice on safe sinks like `.textContent` and `.setAttribute`. → owasp.org |
| 2025-08-14 2025 | https://medium.com/m/global-identity?redirectUrl=https://infosecwriteups.com/reflected-xss-dvwa-an-exploit-with-real-world-consequences-stackzero-171cfb2d87d2?source=rss----7b722bfd1b8d---4 intermediate | The content discusses a real-world exploit involving Reflected Cross-Site Scripting (XSS) in DVWA (Damn Vulnerable Web Application) with serious consequences. It highlights the impact of XSS vulnerabilities and the importance of secure coding practices to prevent such exploits. The article likely provides insights into the exploit, its implications, and ways to mitigate XSS vulnerabilities in web applications. |
| 2025-08-14 2025 | An unusual way to find XSS injection in one minute | Medium intermediate | The content appears to be about a unique method for quickly identifying cross-site scripting (XSS) vulnerabilities in web applications. The approach likely offers a rapid and efficient way to detect XSS injections within a minute, providing valuable insights into potential security weaknesses. The article may delve into the specifics of this unconventional technique and its effectiveness in identifying and mitigating XSS vulnerabilities. |
| 2025-08-14 2025 | Lab: Reflected DOM XSS | Web Security Academy intermediate | Lab demonstrates Reflected DOM XSS by exploiting an `eval()` function call that processes an unescaped JSON response. By crafting a specific search term, `"-alert(1)}//`, and leveraging the lack of backslash escaping, the entry injects JavaScript code, causing an `alert(1)` to execute within the browser. The technique involves canceling out quotation mark escaping and commenting out the remainder of the JSON object. → portswigger.net |
| 2025-08-14 2025 | 10 Types of Web Vulnerabilities that are Often Missed - Detectify Labs beginner SSRF XXE | Library detailing often-missed web vulnerabilities, including HTTP/2 Smuggling, XXE via Office Open XML Parsers, SSRF via XSS in PDF Generators, and XSS via SVG files. This resource explores obscure bug classes and less common delivery methods for traditional vulnerabilities, offering insights beyond the OWASP Top 10. It references research from Detectify Labs, Hakluke, Farah Hawa, Wallarm, and James Kettle, and mentions tools like http2smugl. → labs.detectify.com |
| 2025-08-14 2025 | https://github.com/mandatoryprogrammer/xsshunter-express intermediate | Library for rapidly setting up XSS Hunter to detect blind cross-site scripting. This Dockerized application automates TLS/SSL certificate generation via Let's Encrypt and offers optional email notifications for payload fires, storing detailed probe data including DOM, cookies, user agent, and full screenshots. It supports correlated injections with compatible tools, secondary payload loading, and a minimized attack surface by disabling the web control panel. |
| 2025-08-14 2025 | https://www.bugcrowd.com/blog/the-ultimate-guide-to-finding-and-escalating-xss-bugs/?utm_campaign=XSS-BUGS-4.6-FB&utm_medium=social&utm_source=facebook#accept intermediate | The content discusses a comprehensive guide on finding and escalating XSS (Cross-Site Scripting) bugs. It covers various techniques and tools to identify XSS vulnerabilities in web applications, including manual testing and automated scanners. The guide emphasizes the importance of understanding different types of XSS attacks and provides tips on how to effectively report and escalate these issues to maximize impact. It also highlights the significance of responsible disclosure and collaboration between security researchers and organizations to address XSS vulnerabilities promptly. → bugcrowd.com |
| 2025-08-14 2025 | https://www.hackingarticles.in/burp-suite-for-pentester-hackbar/ intermediate Burp XXE | Library for Burp Suite that accelerates manual penetration testing by automating payload insertion for various vulnerabilities. HackBar offers dropdown lists with pre-defined payloads for SQL Injection, Cross-Site Scripting, Local File Inclusion, XXE Injection, and OS Command Injection, streamlining the process of testing and exploiting these common web application flaws. |
| 2025-08-14 2025 | https://corneacristian.medium.com/top-25-xss-bug-bounty-reports-b3c90e2288c8 intermediate | The content discusses the top 25 XSS (Cross-Site Scripting) bug bounty reports, highlighting successful findings in various platforms. It showcases real-world examples of XSS vulnerabilities discovered by security researchers through bug bounty programs. The reports cover a range of websites and applications, emphasizing the importance of identifying and reporting XSS flaws to enhance cybersecurity. The article serves as a valuable resource for understanding XSS vulnerabilities and the impact they can have on web security. → corneacristian.medium.com |
| 2025-08-14 2025 | https://github.com/terjanq/Tiny-XSS-Payloads beginner | Library of concise XSS payloads targeting various contexts. Examples include `<svg/onload=eval(name)>` when controlling the `name` attribute, `<iframe/onload=src=top.name>` for `<iframe>` manipulation, and `<style/onload=eval(name)>` for inline style execution. The collection also features payloads utilizing `import()` for external script execution and offers deprecated payloads for specific browser versions. |
| 2025-08-14 2025 | Documenting the impossible: Unexploitable XSS labs | PortSwigger Research advanced | Labs detailing unexploitable XSS scenarios, including challenges like unclosed tag bypasses, JavaScript variable injections with escaped characters, query string processing with `innerHTML`, attribute length limitations, frameset injections, and minimal arbitrary code execution via `alert()`. These labs, presented as challenges on the PortSwigger XSS cheat sheet, aim to solidify understanding when exploitation proves difficult, offering confidence that a vulnerability may indeed be unexploitable if matching these specific, tricky conditions. → portswigger.net |
| 2025-08-14 2025 | $20000 Facebook DOM XSS : Vinoth Kumar news | The content appears to be a brief mention of a $20,000 reward offered by Facebook for discovering a DOM XSS vulnerability. The discovery was made by Vinoth Kumar. This type of vulnerability can allow attackers to manipulate a website's content and potentially compromise user data. |
| 2025-08-14 2025 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate Bug Bounty CSRF | Analysis of SameSite by Default's impact on bug bounty hunting reveals that while it aims to mitigate CSRF, it significantly affects other client-side vulnerabilities. Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP leaks, Data Exfiltration, XSLeaks, and Cross-Site WebSocket Hijacking are all impacted due to the inability of cross-origin requests to carry cookies. While CORS misconfigurations and some XSS scenarios might have workarounds, the change fundamentally alters the landscape for exploiting these vulnerabilities. |
| 2025-08-14 2025 | Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security Academ beginner | Cheatsheet of Cross-Site Scripting (XSS) vectors, this resource details numerous techniques for bypassing Web Application Firewalls and filters. It categorizes vectors by event handlers like `onanimationcancel`, `onscrollend`, and `onwebkitanimationiteration`, or by consuming tags. Specific bypass methods are provided, including those avoiding parentheses, quotes, or spaces through exception handling and location hash evaluation, as well as hoisting techniques involving undefined variables, functions, and classes, and utilizing `window.name` or ES6 template strings. → portswigger.net |
| 2025-08-14 2025 | https://labs.nettitude.com/blog/cross-site-scripting-xss-payload-generator/ intermediate | Library for generating obfuscated Cross-Site Scripting (XSS) payloads to bypass output encoding and character blacklisting filters. It offers various payload actions, including loading external scripts, invoking URL requests, or executing custom JavaScript snippets. Obfuscation methods include `eval()`, Base64 with `atob()`, string reversal, `String.fromCharCode()`, and hex codes. The library supports different injection types, such as breaking out of element attributes or using SVG `onload` events, and includes 0xsobky's XSS polyglot. |
| 2025-08-14 2025 | https://sametsahin.net/posts/steal-csrf-tokens-with-simple-xss/ intermediate | Writeup detailing a simple cross-site scripting (XSS) technique capable of stealing CSRF tokens. This method leverages basic XSS payloads to exfiltrate sensitive tokens, potentially leading to unauthorized actions on behalf of the user. The article highlights the importance of robust CSRF protection mechanisms in web applications to prevent such attacks. |
| 2025-08-14 2025 | https://gauravnarwani.com/xssed-my-way-to-1000/ intermediate | Writeup of a Synack bug bounty case study detailing a reflected XSS filter bypass that earned $1000+. The analysis focuses on bypassing input restrictions using character encoding like `%0A` and exploiting JavaScript execution flow by inserting an `else` block to trigger `alert('XSS')` when direct payload injection failed due to `if (false)` conditions and unclosed parentheses. |
| 2025-08-14 2025 | https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md intermediate | Collection of JavaScript Cross-Site Scripting (XSS) payloads, specifically demonstrating techniques to execute `alert(23)` without using parentheses. This resource includes a wide variety of bypasses and creative methods, often leveraging unusual JavaScript features, object prototypes, and browser-specific quirks to achieve execution, such as manipulating `onerror`, `setTimeout`, `eval`, and various string manipulation techniques. |
| 2025-08-14 2025 | How to identify whether XSS is reflected or DOM based? intermediate | The content discusses methods to determine if a Cross-Site Scripting (XSS) vulnerability is reflected or DOM-based. This distinction is crucial for understanding how the attack is executed and mitigated. By analyzing the source of the vulnerability and its impact on the Document Object Model (DOM), security professionals can effectively identify and address XSS threats. Understanding the nature of XSS helps in implementing appropriate security measures to prevent exploitation and protect web applications from malicious attacks. |
| 2025-08-14 2025 | DOM XSS Intro beginner | The content is a brief introduction to DOM-based Cross-Site Scripting (XSS) without providing specific details or explanations. DOM XSS is a type of XSS attack that occurs when client-side scripts manipulate the Document Object Model (DOM) in a way that allows malicious scripts to be executed in a victim's browser. This summary captures the essence of the topic without delving into further details or examples. |
| 2025-08-14 2025 | Reflected XSS via AngularJS Template Injection | Hostinger intermediate | The content title mentions "Reflected XSS via AngularJS Template Injection" on Hostinger. This indicates a security vulnerability where attackers can inject malicious code into AngularJS templates, leading to cross-site scripting (XSS) attacks. The vulnerability allows attackers to execute scripts in the context of a user's browser, potentially compromising sensitive data or performing unauthorized actions on the affected website. It highlights the importance of securing web applications against such vulnerabilities to prevent exploitation and protect user data. |
| 2025-08-14 2025 | How I Found Stored XSS in Yahoo! intermediate | The content provided is a title stating "How I Found Stored XSS in Yahoo!". It suggests that the author discovered a stored cross-site scripting (XSS) vulnerability in Yahoo's system. The title implies that the author will likely share their experience, methodology, and findings related to identifying and exploiting this security flaw in Yahoo's platform. |
| 2025-08-14 2025 | What is XSS? Cross-site Scripting Explained beginner | Cross-site scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive information, unauthorized access, and other malicious activities. XSS exploits the trust a user has for a particular website, allowing attackers to execute scripts in the victim's browser. It is crucial for developers to implement proper security measures to prevent XSS attacks, such as input validation and output encoding. Understanding XSS and its implications is essential for maintaining the security of web applications. |
| 2025-08-14 2025 | s0md3v/AwesomeXSS intermediate | Library of XSS resources, including challenges, tools, and payloads. It details numerous XSS vectors and bypass techniques, referencing specific sinks and sources from domxsswiki. Examples include SVG onload events, JavaScript context breaking with encoded characters, attribute injection using polyglots, and bypassing filters by omitting spaces, quotes, or the equal sign in payloads. The resource also provides methods for shortening URLs and avoiding common XSS detection keywords like "alert." |
| 2025-08-14 2025 | Demonstrating Reflected versus DOM Based XSS intermediate | Library demonstrating DOM-based XSS exploitation in the OWASP Juice Shop, contrasting it with Reflected XSS in Altoro Mutual. The post details how to construct a malicious server to steal user cookies, extract JWTs, and retrieve password hashes, showcasing the effectiveness of DOM-based XSS against typical security measures. |
| 2025-08-14 2025 | https://medium.com/bugbountywriteup/how-i-found-a-xss-vulnerability-within-the-response-field-64a3b7d159ed?source=userActivityShare-90814179aa21-1528434838 intermediate | The content discusses how a security researcher discovered a cross-site scripting (XSS) vulnerability within a response field. The researcher explains the steps taken to identify and exploit the vulnerability, highlighting the importance of thorough testing and responsible disclosure. The article serves as a valuable resource for understanding XSS vulnerabilities and the process of reporting them for responsible disclosure. |
| 2025-04-23 2025 | Cross-Site WebSocket Hijacking Exploitation in 2025 - Include Security Research Blog intermediate | Analysis of Cross-Site WebSocket Hijacking (CSWSH) exploitation, detailing how browser security improvements like Third Party Cookie Restrictions, Private Network Access, SameSite=Lax by default, and Firefox's Total Cookie Protection increasingly limit its effectiveness. It recaps CSWSH prerequisites, including cookie-based authentication with SameSite=None and missing Origin validation on WebSocket servers, and explores how these mitigations impact exploitability through case studies. |
| 2025-04-11 2025 | XSS payloads for href beginner | XSS payloads for href. GitHub Gist: instantly share code, notes, and snippets. |
| 2025-04-09 2025 | Controlling XSS Using A Secure WebSocket CLI - InfoSec Write-ups intermediate | When experimenting with Cross-Site Scripting (XSS), what’s the quickest way to test multiple payloads efficiently? Not long ago, I set up an XSS server that serves remote payloads, which can easily… → infosecwriteups.com |
| 2025-04-09 2025 | From Recon to Exploits: Uncovering XSS, Open Redirects, and More using this script intermediate Bug Bounty Recon | Step by Step guide to hunt info disclosure, xss and more → osintteam.blog |
| 2025-04-01 2025 | GitHub - Leviticus-Triage/XSS_Hunter: Ein Framework zur automatisierten Erkennung und Exploitation von XSS-Schwachstellen intermediate | Framework for automated detection and exploitation of XSS vulnerabilities. It leverages machine learning for payload generation, WAF detection and evasion, and robust vulnerability validation. Features include scan, exploit, payload, and report modes, with options for screenshots, callback servers for blind XSS, and various validation levels for accuracy. It supports authenticated scans and DOM-based XSS detection. |
| 2025-03-31 2025 | Javascript Recon for Bug Bounty & Pentesting intermediate Bug Bounty Recon | Hidden endpoints, secrets, and DOM XSS using Automated JS Analysis |
| 2025-03-30 2025 | Stored XSS in My Flow To RCE in Opera Browser #2 - Renwa - Medium intermediate Bug Bounty RCE | Hey Opera team, after your great response and bounties with previous reports motivated me to look more into the program and find more bugs, luckily I found a critical bug in My Flow that allow an… |
| 2025-02-20 2025 | How I got a Stored XSS by searching through JS files. intermediate Bug Bounty | Hello Friend, I’m gonna talk about a simple Stored XSS vulnerability I did find in a private bug bounty program at Bugcrowd by searching in… |
| 2025-02-01 2025 | Tiny XSS Payloads beginner | A collection of small XSS payloads |
| 2025-01-28 2025 | domloggerpp/.github/images/firefox_manual.png at main · kevin-mizu/domloggerpp · GitHub intermediate | A browser extension that allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations. - kevin-mizu/domloggerpp |
| 2025-01-28 2025 | Cross Site Scripting - Payloads All The Things intermediate | Reference containing a comprehensive collection of Cross-Site Scripting (XSS) payloads and techniques. It details reflected, stored, and DOM-based XSS, offering proof-of-concept examples for data exfiltration and session hijacking, including payloads for HTML, SVG, and various HTML5 tags. The resource also lists tools like XSSStrike, xsser, Dalfox, and XSpear for identifying XSS vulnerabilities. |
| 2025-01-23 2025 | XSS Penetration Testing Tool | Advanced Web Security for Pen Testers intermediate | Tool for automated XSS detection, supporting 4500+ payloads and WAF bypass. It handles GET and POST requests, scans all parameters, and identifies Reflected, Stored, DOM-based, and Blind XSS vulnerabilities. Features include blind XSS automation, real-time feedback on confirmed alerts and WAF detection, and generation of detailed HTML, PDF, CSV, and JSON reports. Businesses can request a 48-hour trial license. |
| 2025-01-19 2025 | Google XSS Game beginner | Warning: You are entering the XSS game area |
| 2024-12-31 2024 | GitHub - 11whoami99/XSS-keylogger: A Simple JS code to keylogger data and send it to the personal server intermediate | A Simple JS code to keylogger data and send it to the personal server - 11whoami99/XSS-keylogger |
| 2024-12-21 2024 | GitHub - Cybersecurity-Ethical-Hacker/xssdynagen: 🪄 XSSDynaGen is a tool designed to analyze URLs with parameters, identify the characters allowed by the server, and generate advanced XSS payloads based on the analysis results. intermediate Fuzzing | Library for dynamic XSS payload generation; analyzes URLs with parameters to identify server-allowed characters and constructs advanced payloads. Features asynchronous processing, parameter character testing with canary-based reflection verification, customizable character sets, and advanced evasion techniques like null bytes and Unicode encoding. Supports batch processing, proxy routing (Burp Suite, ZAP, mitmproxy), configurable rate limiting, and automatic retries. Output includes structured JSON with detailed analysis and generated payloads, or plain text. |
| 2024-11-15 2024 | GreHack 2024 | Playing with HTML parsing to bypass DOMPurify on default configuration advanced | Slides from GreHack 2024 detail techniques for bypassing DOMPurify's default configuration through HTML parsing manipulation. The presentation covers exploiting DOMPurify versions 2.0.0, 3.0.0, 3.1.0, 3.1.1, and 3.1.2, demonstrating vulnerabilities related to node flattening, insertion modes, namespace switching, DOM clobbering, and attribute sanitization. It highlights specific bypasses achieved by leveraging HTML integration points, nested structures, and mutated elements to achieve cross-site scripting. |
| 2024-11-13 2024 | JavaScript for Hacking Made Easy: Expert Guide beginner | Guide to using JavaScript for ethical hacking, detailing how its client-side execution enables attacks like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). It introduces the browser's developer console for debugging and analysis, and demonstrates vulnerability identification using OWASP ZAP against targets like Damn Vulnerable Web Application (DVWA). |
| 2024-11-13 2024 | [HackerNotes Ep.95 & Ep.96] Cookies, Caching & Attacking Chrome Extensions with MatanBer advanced Talks | Library for understanding and attacking browser extensions, covering components like content scripts, service workers, extension pages, and the manifest file. It details techniques for gaining source code access, exploiting extension scoping, and attacking content scripts via DOM injection and clickjacking, as well as extension and service worker pages through misconfigurations and message-passing APIs. The resource also includes insights on debugging extensions and notes on cookie parsing behaviors from the HeroV6 CTF writeup. |
| 2024-11-10 2024 | GitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids) intermediate XXE | Library for embedding XXE and XSS payloads within common document formats like docx, odt, and pptx. Docem automates the process of replacing placeholder "magic symbols" in a sample document with specified payloads, offering granular control over payload placement per document, per file, or per placeholder. It serves as a more convenient alternative to tools like oxml_xxe when generating numerous poisoned documents. |
| 2024-11-02 2024 | Brute XSS 2024 intermediate | A 10-page collection of dozens of the best vectors and payloads for Cross-Site Scripting (XSS) with filter bypass techniques. |
| 2024-11-01 2024 | XSS Payloads beginner | XSS Payloads web site |
| 2024-10-17 2024 | B-XSSRF - Toolkit To Detect And Keep Track On Blind XSS, XXE And SSRF intermediate SSRF XXE | "B-XSSRF is a toolkit designed to detect and monitor Blind XSS, XXE, and SSRF vulnerabilities. The setup involves uploading files to a server and creating a database. The toolkit helps in identifying and tracking these security issues to enhance the overall security posture of a system." → kitploit.com |
| 2024-10-03 2024 | CSP Bypass Search intermediate | CSP Bypass Search |
| 2024-09-26 2024 | Simplifying XSS Detection with Nuclei - A New Approach intermediate | Library for simplifying XSS detection, leveraging Nuclei's headless mode and the `waitdialog` action. This technique mimics real user interactions by running JavaScript, allowing for detection of XSS payload execution via JavaScript dialogs rather than relying on complex, target-specific reflection-based string matchers. The headless approach offers higher accuracy and reduced complexity, making XSS detection more consistent across different web applications. |
| 2024-09-24 2024 | xssorRecon/xss0rRecon.sh at main · xss0r/xssorRecon beginner Bug Bounty Recon | Library for automated web application security reconnaissance and XSS vulnerability detection. This tool streamlines the process of identifying potential XSS attack vectors by performing domain enumeration, URL crawling, parameter analysis, and utilizing specific sub-tools like HiddenParamFinder. It aims to prepare for and launch XSS detection, offering options for path-based XSS and domain input searches, and includes a guide for deploying the tool on VPS servers for continuous operation. |
| 2024-09-23 2024 | GitHub - Emoe/kxss: This a adaption of tomnomnom's kxss tool with a different output format intermediate | Tool, a Go adaptation of tomnomnom's kxss, modifies the output format for improved grepability in recon scripts. It processes URLs to identify unfiltered characters like single quotes, double quotes, and angle brackets within parameters, presenting findings in a structured URL: [param] Unfiltered: [chars] format. Installation is handled via `go get github.com/Emoe/kxss`, and usage involves piping URLs to the executable. |
| 2024-09-22 2024 | DOM-based XSS: Exploiting `document.write` with `location.search` intermediate | Cross-Site Scripting (XSS) vulnerabilities pose significant risks to web applications by allowing attackers to inject malicious scripts… |
| 2024-09-13 2024 | GitHub - xss0r/xssorRecon: Automate Recon XSS Bug Bounty beginner Bug Bounty Recon | Library for automating XSS bug bounty reconnaissance. This tool requires downloading and extracting various files, including tools and wordlists, to a single directory for proper operation. Users can access a free five-day Pro plan license from the 10th to the 15th of each month via store.xss0r.com to explore the full functionality before potential purchase. |
| 2024-09-07 2024 | lostools/xsspollygots.txt at coffin · coffinsp/lostools intermediate | Contribute to coffinsp/lostools development by creating an account on GitHub. |
| 2024-09-01 2024 | Bypassing CSP via URL Parser Confusions : XSS on Netlify’s Image CDN advanced | Heyyy Everyonee, |
| 2024-08-24 2024 | Top 10 XSS Payloads beginner | Those are the most useful payloads to prove the vast majority of Cross Site Scripting (XSS) vulnerabilities out there. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp RCE SQLi | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover news API Sec AuthN | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. → darkreading.com |
| 2024-07-22 2024 | DOM-based Cross-Site Scripting Attack in Depth - GeeksforGeeks beginner | Guide to DOM-based Cross-Site Scripting detailing how attackers manipulate the Document Object Model on the client-side, bypassing server-side protections. It explains how payloads are executed by legitimate JavaScript after the victim clicks a crafted URL, leading to session hijacking, cookie theft, and sensitive data compromise. The guide recommends using tools like Burp Suite for detection and emphasizes sanitizing JavaScript input, using secure frameworks like AngularJS and React, and avoiding vulnerable source attributes like `location.href`. → geeksforgeeks.org |
| 2024-07-22 2024 | Understanding DOM-Based XSS: Sources and Sinks intermediate | This post assumes the reader has some knowledge on HTML, JavaScript (JS), and Cross-site scripting (XSS). I still try to explain some of… |
| 2024-07-22 2024 | Best Approach to DOM XSS intermediate | First of we need to understand the nature of this vulnerability and how it occurs , then we proceed to look forward to how to detect and… |
| 2024-07-22 2024 | DOM XSS: What Is DOM-based Cross-Site Scripting And How can you Prevent it? beginner | Library detailing DOM-based Cross-Site Scripting (DOM XSS) vulnerabilities, which affect up to 50% of websites, impacting companies like Google, Yahoo, and Amazon. It explains how this client-side vulnerability occurs when malicious JavaScript alters the Document Object Model, enabling attackers to exploit sources like `document.URL` and sinks such as `document.write` or `innerHTML` to execute arbitrary code and steal sensitive data. The resource differentiates DOM XSS from reflected and stored XSS, highlighting its client-side root cause and the necessity for client-side code sanitization and careful handling of client data. |
| 2024-07-22 2024 | DOM Based XSS | Tutorial & Examples | Snyk Learn | Snyk Learn beginner | Tutorial on DOM XSS vulnerabilities, explaining how attackers manipulate the Document Object Model with client-side code injected via user-controllable sources like `eval()`, `document.write()`, or `innerHTML` sinks. It demonstrates exploiting a personalized profile color feature by escaping URL query parameters and recommends mitigating this by directly assigning color values to `document.body.style.color`, sanitizing input with libraries like `node-esapi`, or employing Content Security Policy (CSP) with nonces. |
| 2024-07-22 2024 | DOM-Based Cross-Site Scripting (DOM XSS) Explained beginner | 👍👍👍 and subscribe for more DOM XSS tutorials: https://www.youtube.com/channel/UC2vVVgKKzN-Gb_xeaUY0o-Q?sub_confirmation=1Check out my best selling AppSec ... |
| 2024-07-22 2024 | What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy beginner | Tutorial on DOM-based XSS vulnerabilities, detailing how JavaScript sources like `window.location` can pass attacker-controllable data to sinks such as `eval()` or `innerHTML`, enabling malicious JavaScript execution. It covers manual testing techniques using browser developer tools to inspect HTML and JavaScript execution sinks, and introduces Burp Suite's DOM Invader extension for automated detection. The tutorial also explores exploiting DOM XSS through various sinks like `document.write()` and `innerHTML`, including examples with third-party dependencies like jQuery's `attr()` and `$()` functions. → portswigger.net |
| 2024-07-22 2024 | DOM Based XSS | OWASP Foundation beginner Bug Bounty | Reference detailing DOM-based XSS (Type-0 XSS), a vulnerability where client-side scripts execute unexpectedly due to malicious modifications of the DOM environment, not the HTTP response itself. It provides examples, including a `decodeURIComponent` vulnerability and the fragment-based technique to bypass server-side detection, and mentions attacks against Adobe PDF plugins. The entry also references testing tools like DOM Snitch and the DOM XSS Wiki. → owasp.org |
| 2023-12-20 2023 | XSSRF : The Matrimony of XSS and SSRF. advanced SSRF | The content discusses the concept of XSSRF, which is the combination of Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). This fusion poses a significant security risk by allowing attackers to manipulate server requests through XSS vulnerabilities. The term "matrimony" is used metaphorically to describe the dangerous union of these two attack vectors. The link provided likely leads to further information or resources on this topic. |
| 2023-12-05 2023 | A Bunch of Web and XSS Challenges intermediate | Writeups detail several web application security challenges, including exploiting AngularJS in editable divs via copy-paste XSS and connection pools, bypassing Content-Type restrictions with UTF-16 and `multipart/mixed`, and achieving XSS through path manipulation and bypassing DOMPurify with crafted HTML. Techniques such as DOM clobbering and leveraging Chrome DevTools Protocol for headless mode downloads are also discussed, offering insights into overcoming common sanitization and browser security mechanisms. |
| 2023-12-01 2023 | Cookie Bugs - Smuggling & Injection intermediate | Writeup on browser cookie encoding and web framework parsing, detailing browser behaviors like subdomain and superdomain cookie inheritance, __Host- and __Secure- prefixes, cookie ordering, and empty cookie names. It covers browser-specific issues like Chrome's `document.cookie` corruption and vulnerabilities like cookie smuggling and injection found in Java web servers (Jetty, Tomcat, Undertow) and Python frameworks (Zope, CherryPy, aiohttp, Bottle, Webob), including CVE-2023-26049 and GHSA-p26g-97m4-6q7c. |
| 2023-12-01 2023 | Bypass CSP Using WordPress By Abusing Same Origin Method Execution intermediate | Technique bypasses Content Security Policy (CSP) by exploiting a WordPress JSONP endpoint to execute arbitrary JavaScript. This method, nominated for Top Web Hacking Techniques of 2023, leverages Same Origin Method Execution (SOME) to craft payloads that defeat CSP restrictions. It allows an attacker with HTML injection on a main domain to achieve full-blown XSS, and potentially RCE, if WordPress is hosted on a subdomain or directory, as demonstrated with Octagon.net. |
| 2023-11-02 2023 | JS-Tap: Weaponizing JavaScript for Red Teams intermediate | Tool for weaponizing JavaScript for red teams, JS-Tap provides a generic payload that does not require prior application knowledge or authenticated access. It operates in Trap Mode for XSS payloads, using an iframe trap for persistence, or Implant Mode for direct injection into application JavaScript files. JS-Tap instruments the client side to collect data such as IP address, OS, browser, typed user inputs, visited URLs, cookies, local and session storage, HTML code, screenshots, and XHR/Fetch API call details, which are then monitored via a web-based portal. |
| 2023-10-05 2023 | Writeups for Damn Vulnerable Web Application (DVWA) beginner SQLi | Writeups for Damn Vulnerable Web Application (DVWA) https://ift.tt/b6djesM |
| 2023-10-05 2023 | 2023 Microsoft Office XSS intermediate | Writeup detailing a Microsoft Office XSS vulnerability discovered in Word and Office 365. This vulnerability allows attackers to embed malicious JavaScript by crafting a video title, which is then rendered insecurely within an iframe when the video is played in a document. The exploit leverages the iframe's `onload` attribute, enabling arbitrary JavaScript execution, similar to past critical Office exploits like CVE-2021-40444 and CVE-2022-30190. |
| 2023-10-05 2023 | xss\ beginner | Writeup detailing Cross-Site Scripting (XSS) techniques and payloads, including examples like `onerror` attributes, iframe `srcdoc` exploitation, OAuth state parameter manipulation for XSS via `<script>`, and Base64 encoded JavaScript payloads. It showcases bypassing filters with various HTML tags and attributes, demonstrating an XSS to Local File Inclusion (LFI) payload targeting `/etc/passwd`, and references external resources for mass injection and Microsoft Office vulnerabilities. |
| 2023-10-03 2023 | XSS to Exfiltrate Data from PDFs intermediate | XSS to Exfiltrate Data from PDFs https://ift.tt/sGqiZz6 |
| 2023-10-03 2023 | Is XSS Attack via PDF Javascript Possible? intermediate | Analysis of PDF JavaScript execution in browsers, investigating its potential for XSS attacks. The entry addresses whether JavaScript embedded within PDF documents, like the example using `app.alert`, can access browser data such as cookies or perform redirects, and whether sandboxing mechanisms prevent such actions when PDFs are opened via a web browser. → stackoverflow.com |
| 2023-10-03 2023 | PDFBox - JavaScript in PDF Document beginner | Library for programmatically embedding JavaScript actions into PDF documents using the Apache PDFBox framework. This technique involves loading an existing PDF, creating a `PDActionJavaScript` object with the desired script (e.g., an `app.alert` command), and setting it as the document's open action before saving and closing. |
| 2023-09-26 2023 | How Could a Self-XSS end with $$$$ intermediate | How Could a Self-XSS end with $$$$ https://ift.tt/681snfM |
| 2023-09-16 2023 | 8 XSS Vulnerabilities in Azure HDInsight Allow Attackers to Deliver Malicious Payloads news | 8 XSS Vulnerabilities in Azure HDInsight Allow Attackers to Deliver Malicious Payloads https://ift.tt/yam8fue |
| 2023-09-07 2023 | Identify Cross Site Scripting Vulnerabilities with these XSS Scanning Tools beginner | Tools for detecting Cross-Site Scripting (XSS) vulnerabilities include Burp Suite, DalFox, Detectify, XSStrike, Wapiti, Pentest-Tools.com XSS Scanner, Intruder, Security for Everyone (S4E), ZAP, XSSer, Acunetix, and Invicti. These scanners analyze web applications by simulating attacks to find injection points for malicious scripts, helping to remediate issues like Reflected XSS, Stored XSS, and DOM-based XSS. |
| 2023-08-09 2023 | https://thexssrat.podia.com/full-house-bundle-all-of-our-current-and-future-courses-in-one?coupon=FRGDFG beginner | https://ift.tt/f9xe58a |
| 2023-08-01 2023 | XSS Payloads on Twitter beginner | https://twitter.com/xsspayloads/status/1685889094574874624?s=12&t=lhd09Kl740jrudlSO85fxA |
| 2023-06-08 2023 | XSS Unleashed: Bypassing Filters with XLink Namespace intermediate | XSS Unleashed: Bypassing Filters with XLink Namespace https://ift.tt/IuayGmr |
| 2023-04-02 2023 | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters beginner Bug Bounty | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters https://ift.tt/tFcafTi |
| 2023-04-02 2023 | How to Hack Web Browsers with BeEF Framework intermediate | How to Hack Web Browsers with BeEF Framework https://ift.tt/r8zkdW9 |
| 2023-03-17 2023 | Bypassing Character Limit - XSS Using Spanned Payload intermediate | The content discusses bypassing character limits in XSS attacks by using a spanned payload. It suggests a method to circumvent restrictions on the length of input in XSS attacks by utilizing a span element. This technique allows attackers to inject malicious code beyond the usual character limits imposed by security measures. By exploiting this vulnerability, hackers can potentially execute harmful scripts on vulnerable websites. |
| 2023-03-16 2023 | XSS-Payloads beginner | List of XSS payloads collected since 2015 from various sources, designed to bypass Web Application Firewalls (WAF) and identify XSS vulnerabilities. While older versions of `payloads.txt` are outdated, the project directs users to the PortSwigger XSS cheat sheet for current payloads and other valuable XSS resources. |
| 2023-01-30 2023 | The XSS hunter's secret weapon beginner | Tool for detecting and reporting blind cross-site scripting (XSS) vulnerabilities. BXSSHUNTER generates markdown reports for platforms like HackerOne and Bugcrowd, hosts payloads remotely via *.bxss.in URLs for execution tracking, and offers instant notifications on Slack, Discord, and email. It also provides a public profile page to showcase XSS hunting skills. |
| 2023-01-30 2023 | Xss beginner | The content provided is a link to a website named "XSS Report." The website likely focuses on cross-site scripting (XSS) vulnerabilities, a common security issue in web applications. XSS allows attackers to inject malicious scripts into web pages viewed by other users. The website may offer information, resources, or tools related to identifying and mitigating XSS vulnerabilities to help website owners secure their platforms against such attacks. |
| 2022-09-14 2022 | DOM-based vulnerabilities | Web Security Academy beginner | Reference for DOM-based vulnerabilities detailing taint flow from attacker-controllable sources like `location.search` and `document.referrer` to dangerous sinks such as `eval()` and `document.body.innerHTML`. It covers preventing these vulnerabilities through input validation, sanitization, and encoding, and mentions advanced techniques like DOM clobbering. Labs are available for practical exploitation. → portswigger.net |
| 2022-06-20 2022 | Favorite tweet by @Burp_Suite news Burp | Favorite tweet: Burp Suite 2022.6 released to the Early Adopter channel. Includes grouped tabs for Repeater, connection reuse for HTTP/1 requests, and new preset scan modes. Also introduces the abili... |
| 2022-06-20 2022 | Favorite tweet by @PortSwigger intermediate Burp | Favorite tweet: Finding Client-Side Prototype Pollution (CSPP) with DOM Invader by @garethheyes - now available on the Early Adopter channel https://t.co/ut1Buup1so — PortSwigger (@PortSwigger) Jun ... |
| 2022-05-11 2022 | Favorite tweet by @Nickieyey beginner Bug Bounty | Favorite tweet: Top XSS (Cross Site Scripting) Tools : 1) BeeF 2) BlueLotus_XSSReceiver 3) xssor2 4) Xsser-Varbaek 5) Xsser-Epsylon 6) Xenotix #pentesting #ethicalhacking #cybersecurity #CyberSec #we... |
| 2022-04-14 2022 | Favorite tweet by @e11i0t_4lders0n intermediate Bug Bounty Burp | Favorite tweet: Burp Extension for XSS Thread 🧵 #bugbounty #bugbountytip #bugbountytips — Tushar Verma 🇮🇳 (@e11i0t_4lders0n) Apr 14, 2022 |
| 2022-03-18 2022 | Favorite tweet by @NandanLohitaksh intermediate Recon | Favorite tweet: Mass Blind XSS 🔥👇 By @HackerGautam ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/UWTXcbtzMq | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|wo... |
| 2022-03-18 2022 | Favorite tweet by @HackerGautam intermediate Recon | Favorite tweet: Mass Blind XSS 🔥👇 ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/Tmo5ijSdeM | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|t... |
| 2022-02-08 2022 | Favorite tweet by @manicode beginner | Favorite tweet: OWASP has released an update to the XSS Prevention CheatSheet. This is one of our most popular CheatSheets and we are taking community consultation that the draft is ready for public ... |
| 2022-01-18 2022 | CSP Inline Scripts intermediate | Reference detailing Content Security Policy (CSP) bypass techniques, specifically addressing inline script blocking. It explains how browsers reject inline scripts like `<script> doSomething(); </script>` and event handlers like `onclick="doSomething();"` when CSP is active. The document outlines methods to allow these, including using a single-use `nonce` value, pre-computed SHA256 `hash` values, the generally discouraged `unsafe-inline` source list, and the CSP Level 3 `unsafe-hashes` attribute for event handlers. |
| 2021-12-27 2021 | Cross-examination: unveiling JavaScript injection fingerprint masking attempts advanced | Library for managing multiple online identities, this tool focuses on advanced browser fingerprinting and session management. It enables users to create unique browser profiles with customizable settings for timezone, geolocation, WebRTC, and hardware fingerprints like Canvas and WebGL. The library also supports proxy server configuration and session restoration, allowing for persistent logins across various websites within a single identity. |
| 2021-12-07 2021 | Hacker Tools: How to set up XSSHunter beginner | Tool for detecting blind XSS vulnerabilities, XSSHunter allows users to host specialized XSS probes that scan pages and send vulnerability details via email upon triggering. The article details how to set up a self-hosted instance of XSSHunter Express using Docker, configuring DNS, and running the application, enabling granular control over collected data and enhanced notification reliability. A practical example demonstrates exploiting a vulnerable XSS lab with a generated payload and observing successful exploitation reports. |
| 2021-12-07 2021 | XSS Hunter is Now Open Source Heres How to Set It Up! beginner | Library for self-hosting XSS Hunter, an open-source tool designed to detect blind XSS vulnerabilities. The setup process involves configuring DNS, installing dependencies like Nginx and PostgreSQL, cloning the source code from GitHub, and running the API and GUI servers within tmux sessions. Requirements include a server, a Mailgun account, a domain name, and a wildcard SSL certificate. |
| 2021-11-26 2021 | Find reflected XSS candidates in source code intermediate | Find reflected XSS candidates in source code |
| 2021-11-19 2021 | Tackling Cross Site Scripting with Smart Contracts intermediate | Library addressing Cross-Site Scripting (XSS) attacks originating from smart contracts. It details how user-supplied strings, such as store names or product descriptions in a decentralized application (dApp), can be exploited to inject malicious HTML or JavaScript. The resource discusses both front-end UI validation and the more robust approach of implementing character validation directly within the smart contract itself to prevent DOM-based XSS and protect against direct RPC call exploits. It highlights the gas costs associated with on-chain validation using tools like `eth-gas-reporter`. |
| 2021-11-13 2021 | Web Attack Cheat Sheet beginner API Sec Bug Bounty SQLi | Cheatsheet of web attack techniques and tools, covering manual and automated methods for discovering, enumerating, scanning, monitoring, and attacking web applications. It includes techniques like SSRF, XXE, SQLi, XSS, Path Traversal, SSTI, and information disclosure, alongside tools for ASN lookups, favicon analysis, CDN IP range identification, and subdomain enumeration. Resources mentioned include Project Discovery's Chaos, ASNlookup, CloudPeler, CloudFlair, cdncheck, CloudBunny, CF-Hero, ksubdomain, OWASP Amass, subfinder, and pius. |
| 2021-11-03 2021 | Finding and Fixing DOM-based XSS with Static Analysis Attack & Defense intermediate | Library for detecting and preventing DOM-based XSS vulnerabilities in client-side JavaScript code. This static analysis tool, built as an eslint plugin called `eslint-plugin-no-unsanitized`, parses Abstract Syntax Trees (ASTs) to identify risky assignments to `innerHTML`, `outerHTML`, and calls to `insertAdjacentHTML()`, `document.write()`, and `document.writeln()`. It distinguishes between hardcoded safe strings and potentially attacker-controlled variables, and supports integration with sanitizers like DOMPurify to reduce false positives and improve security posture for Single Page Applications and Electron applications. |
| 2021-11-02 2021 | https://blog.isiraadithya.com/intigriti-1021-xss-challenge-solution-writeup/ intermediate | Writeup of Intigriti XSS Challenge 1021, detailing a mutation XSS exploit. The challenge involved an iframe containing a PHP page that reflected user input from the `html` parameter. By carefully crafting HTML to manipulate the DOM structure and leverage how browsers auto-correct malformed HTML, the author bypassed the Content Security Policy (CSP) to inject JavaScript. The solution focused on injecting specific tags, including `<test id="intigriti">` and `<xss><te>`, to control the last four characters of the injected JavaScript's context, ultimately leading to an XSS vulnerability. |
| 2021-10-26 2021 | Content Security Policy (CSP) explained including common bypasses beginner | Library for understanding Content Security Policy (CSP) headers, detailing their function in preventing XSS vulnerabilities by restricting resource sources. It explains key attributes like `self`, `unsafe-inline`, and `unsafe-eval`, and covers common bypass techniques such as callback manipulation, CDN file uploads, abusing existing libraries, and injection into the policy itself, referencing techniques found on Portswigger. |
| 2021-10-21 2021 | Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist. intermediate | Library for filtering untrusted HTML input to prevent XSS attacks. It controls tag and attribute usage based on a configurable whitelist, offering flexibility through extendable APIs. Installable via npm, it effectively sanitizes user-provided HTML in contexts like forums, blogs, and e-shops. |
| 2021-10-07 2021 | Is there a way to execute XSS in an HTML img tag with SVG? intermediate | Technique for XSS execution within an HTML `<img>` tag via SVG. SVG can embed CSS, which in turn can contain JavaScript. Methods include `expression(...)`, `url('javascript:...')`, and browser-specific features like Firefox's `-moz-binding`. This allows script execution in the host page's domain when user-controlled SVGs are rendered. Mitigation strategies involve Content-Security-Policy and serving SVGs in sandboxed, cross-domain iframes. |
| 2021-10-07 2021 | What content-type's execute javascript in the browser? beginner | Reference discussing JavaScript execution based on `Content-Type` headers in browsers. It highlights that while `text/html` is the standard, some browsers (specifically IE) may execute JavaScript in other types like `application/form-data` or `text/xhtml+xml`. The entry also notes that browser behavior can be influenced by file extensions (`.htm`, `.html`), overriding MIME type expectations, particularly to handle malformed server configurations. → stackoverflow.com |
| 2021-10-04 2021 | 10 Types of Web Vulnerabilities that are Often Missed beginner Bug Bounty IDOR SQLi SSRF | Library detailing HTTP/2 Smuggling via custom tools like `http2smugl`, XXE within Office Open XML parsers using crafted `.docx` or `.xlsx` files, and SSRF via XSS in PDF generators, often found in applications utilizing `wkhtmltopdf` or headless browsers for PDF creation. The library also covers XSS vulnerabilities within SVG file uploads, highlighting common but frequently missed attack vectors beyond the standard OWASP Top 10. → labs.detectify.com |
| 2021-08-30 2021 | Cross-Site WebSocket Hijacking (CSWSH) intermediate API Sec | Cross-Site WebSocket Hijacking (CSWSH) |
| 2021-08-21 2021 | Why u should use burp to test Path Traversal Vulnerability and also get RXSS intermediate Burp | Why u should use burp to test Path Traversal Vulnerability and also get RXSS |
| 2021-08-17 2021 | kleiton0x00/XSScope beginner | Framework for advanced XSS and HTML Injection client-side attacks, XSScope enables XSS botnet operations, HTTP flood DDoS attacks, and automatic payload generation for bug hunting. It can hijack cameras, steal credentials, gather victim information, implement keyloggers, take screenshots, and track location. XSScope also facilitates phishing website generation for platforms like Amazon and Steam, website defacement, and DOM manipulation, including link and image changes, clickjacking, and JavaScript execution. |
| 2021-06-30 2021 | Introducing DOM Invader: DOM XSS just got a whole lot easier to find beginner Burp | Tool for finding DOM-based XSS vulnerabilities, DOM Invader integrates with Burp Suite Professional and Community Edition. It features an "Augmented DOM" to visualize sources and sinks, simplifying the discovery of XSS flaws as if they were reflected. DOM Invader also aids in testing web-message vulnerabilities by intercepting and allowing manipulation of postMessage data, even spoofing origins and generating proof-of-concept code. → portswigger.net |
| 2021-06-11 2021 | An HTML Injection Worth 600$ Dollars beginner | A security researcher discovered an HTML injection vulnerability, earning a $600 bounty. This vulnerability allowed for the injection of HTML code into a web application, potentially leading to various malicious activities such as cross-site scripting (XSS) attacks or defacement. The discovery and subsequent reporting of this flaw highlight the importance of robust input validation and sanitization to prevent such security risks. |
| 2021-05-31 2021 | All about File upload XSS beginner | File upload XSS vulnerabilities allow attackers to inject malicious JavaScript code into files that are uploaded to a web application. This can lead to various security risks, including session hijacking, data theft, and website defacement. Attackers exploit this by uploading crafted files that, when processed or displayed by the application, execute the embedded script in the user's browser. Proper sanitization and validation of uploaded files are crucial to prevent these attacks. |
| 2021-05-06 2021 | XSS Through Parameter Pollution intermediate API Sec | This content details a cross-site scripting (XSS) vulnerability exploit achieved through parameter pollution. Attackers can leverage the manipulation of parameters within web requests to inject malicious scripts. This technique allows them to bypass certain security filters and execute XSS attacks, potentially leading to data theft or unauthorized actions within the victim's browser session. |
| 2021-05-05 2021 | the XSS Rat intermediate | The "XSS Rat" is a proof-of-concept exploit developed by security researcher "secur3b0t" that demonstrates a cross-site scripting (XSS) vulnerability. This type of vulnerability allows attackers to inject malicious scripts into websites, which can then be executed in the browsers of unsuspecting users. The exploit highlights how sensitive data could potentially be compromised. No bug bounty payout amount is mentioned in the provided content. |
| 2021-04-11 2021 | Digging Deep Into Dom XSS intermediate | The content provided is titled "Digging Deep Into Dom XSS" and only includes an introduction. The introduction likely sets the stage for discussing DOM-based Cross-Site Scripting (XSS) vulnerabilities. This type of vulnerability occurs when client-side scripts manipulate the Document Object Model (DOM) in an insecure way, allowing attackers to inject malicious scripts. The introduction may highlight the importance of understanding and mitigating DOM XSS vulnerabilities to protect web applications from exploitation. |
| 2021-04-07 2021 | The Ultimate Guide to Finding and Escalating XSS Bugs | @Bugcrowd beginner | The content discusses Cross-Site Scripting (XSS), a prevalent vulnerability in web applications where attackers execute JavaScript in users' browsers. XSS severity varies from informative to critical. It is a dynamic bug class with significant implications. → bugcrowd.com |
| 2021-03-07 2021 | GitHub - theinfosecguy/QuickXSS: Automating XSS using Bash intermediate Bug Bounty | Tool for automating XSS discovery, QuickXSS chains `waybackurls`, `gau`, `gf`, and `dalfox`. Installation is available via `pip` or `pipx`, with an optional `quickxss setup --install` command to auto-install dependencies. Users can initiate scans using `quickxss scan -d <domain>`, with options for blind XSS callbacks (`-b`) and custom output filenames (`-o`). The tool also supports Docker builds and integration tests via `pytest`. |
| 2021-02-16 2021 | RenwaX23/XSSTRON: Electron JS Browser To Find XSS Vulnerabilities Automatic intermediate | Tool for automatically finding XSS vulnerabilities while browsing. This powerful Chromium browser detects numerous XSS scenarios, including those involving POST requests. Instructions for installation involve cloning the repository, running `npm install`, and then `npm start`. Workarounds are provided for potential issues on Debian/Ubuntu, such as manual Electron installation and sandbox disabling. |
| 2021-02-14 2021 | Stored XSS in icloud.com — $5000 news | The content does not provide any information related to a stored XSS vulnerability on icloud.com or the associated reward of $5000. It simply contains a casual greeting wishing well-being during difficult times. |
| 2021-01-24 2021 | How JavaScript works: 5 types of XSS attacks + tips on preventing them beginner | The content discusses five types of XSS (Cross-Site Scripting) attacks in JavaScript and provides tips on preventing them. It is part of a series exploring JavaScript and its components. The focus is on understanding the vulnerabilities that can be exploited through XSS attacks and offering preventive measures to enhance security. |
| 2020-06-15 2020 | $20000 Facebook DOM XSS : Vinoth Kumar intermediate | The content discusses a Facebook vulnerability related to DOM XSS, discovered by Vinoth Kumar, which could potentially lead to a $20,000 reward. It highlights the safe usage of the window.postMessage() method for cross-origin communication between Window objects. The post encourages further reading on postMessage and cross-domain communication through provided articles. |
| 2020-06-06 2020 | Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting beginner | The content discusses the significance of Cross-Site Scripting (XSS) vulnerabilities in web applications and introduces the Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting. XSS is a prevalent vulnerability that can be exploited widely. The cheat sheet likely contains essential information and techniques for identifying and mitigating XSS vulnerabilities during penetration testing. → gbhackers.com |
| 2020-04-06 2020 | Uber Bug Bounty: Turning Self-XSS into Good-XSS – Jack Whitton intermediate | Writeup detailing a chained exploit on Uber's Partner portal, transforming a self-XSS vulnerability into a "good-XSS" by combining it with CSRF issues in the OAuth login and logout flows. This technique leverages Content Security Policy (CSP) to control redirects, enabling an attacker to log a victim out of their session, into the attacker's account where the XSS payload executes, and then back into their own account, ultimately granting access to the victim's data. |
| 2020-04-04 2020 | s0md3v/XSStrike: Most advanced XSS scanner. intermediate | Library for advanced Cross Site Scripting (XSS) detection. XSStrike features custom parsers, an intelligent payload generator, a powerful fuzzing engine, and a fast crawler. It analyzes responses with multiple parsers to craft guaranteed-to-work payloads by context analysis integrated with its fuzzing engine, and also scans for DOM XSS vulnerabilities. It supports WAF detection and evasion, and leverages Photon, Zetanize, and Arjun. |
| 2020-02-14 2020 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate Bug Bounty CSRF | Library of techniques and vulnerabilities impacted by `SameSite=Lax` cookie behavior, which defaults cross-origin requests to not include cookies. This change affects Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP Leaks, Data Exfiltration, XSLeaks, CORS Misconfigurations, Cross-Site WebSocket Hijacking, and XSS when exploiting cross-origin responses. While intended to mitigate CSRF, the `SameSite` default introduces significant challenges for these bug classes. |
| 2020-01-31 2020 | Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability C beginner | Writeup detailing Cross-Site Script Inclusion (XSSI), a widespread vulnerability often overlooked by standard security checklists. It explains how XSSI exploits the same-origin policy by allowing attackers to include resources cross-domain via script tags, thereby leaking sensitive data like cookies, session IDs, or personal information. The writeup covers identification techniques, exploitation methods for various scenarios including dynamic JavaScript and JSONP, and defensive strategies. It also introduces DetectDynamicJS, a Burp Suite plugin designed to assist testers in discovering these vulnerabilities by comparing script files with and without authentication cookies. |
| 2020-01-30 2020 | https://sametsahin.net/posts/steal-csrf-tokens-with-simple-xss/ intermediate | Writeup details how a Cross-Site Scripting (XSS) vulnerability can be exploited to steal CSRF tokens, bypassing protections like HTTPOnly cookies. The technique involves crafting a malicious script that targets specific JavaScript variables holding sensitive session information, effectively demonstrating a common web application attack vector. |
| 2019-10-07 2019 | What is cross-site scripting (XSS) and how to prevent it? beginner | Guide to cross-site scripting (XSS) vulnerabilities, detailing how attackers can compromise user interactions by injecting malicious JavaScript. It explains the mechanisms and impact of Reflected XSS, Stored XSS, and DOM-based XSS, and outlines methods for detection and prevention, including the use of Burp Suite and specific proof-of-concept payloads like `alert()` and `print()`. → portswigger.net |
| 2019-09-15 2019 | Cross-site scripting - Wikipedia beginner | Library detailing Cross-site scripting (XSS) vulnerabilities, a common web application flaw where attackers inject client-side scripts into web pages. This allows bypassing security measures like the same-origin policy and can lead to session cookie theft and sensitive data access. The library covers non-persistent (reflected) and persistent (stored) XSS types, including examples like search engine injection and dating profile exploits, and touches upon DOM-based XSS. |
| 2019-09-11 2019 | XSS Hunter beginner | The content provided is simply the title "XSS Hunter." It appears to be a reference to a tool or concept related to Cross-Site Scripting (XSS) security testing. XSS Hunter is likely a tool used for detecting and testing XSS vulnerabilities in web applications. The tool may help security professionals identify and mitigate potential security risks related to XSS attacks. |
| 2019-09-11 2019 | The misunderstood X-XSS-Protection intermediate | The content appears to be about the X-XSS-Protection header, a security measure designed to prevent cross-site scripting attacks. It seems to suggest that this security feature may be misunderstood or underutilized. The header helps protect websites by blocking malicious scripts from being executed in the user's browser. It is important for web developers to properly configure and implement this security measure to enhance the security of their websites and protect users from potential vulnerabilities. |
| 2019-08-28 2019 | GitHub - hakluke/weaponised-XSS-payloads: XSS payloads designed to turn alert(1) into P1 intermediate | Library of weaponized XSS payloads designed to elevate basic XSS vulnerabilities to critical impact, such as account takeover. These JavaScript files, loadable via script tags, perform sensitive functions within victim browsers on popular CMS platforms. The repository, inspired by techniques for upgrading XSS bugs from medium to critical, includes examples for direct inclusion or PHP hosting with the correct `Content-Type` header. |
| 2019-07-31 2019 | Cross Site Scripting (XSS) - Payload Generator | Nettitude Labs intermediate | Tool for generating Cross-Site Scripting (XSS) payloads, designed to bypass output encoding and character blacklisting filters. It supports obfuscation techniques such as `eval()`, Base64, reverse strings, `String.fromCharCode()`, and hex codes. The generator also offers various injection types, including standard element attribute breakouts and specialized payloads like 0xsobky's XSS polyglot, assisting pentesters in more complex XSS scenarios and blind XSS testing. |
| 2019-05-19 2019 | XSSed my way to 1000$ | I'm Gaurav Narwani intermediate | Writeup detailing a Synack bug bounty case study involving a reflected XSS filter bypass. The author walks through several attempts to exploit a parameter reflected within a script tag, overcoming filters for `<`, `"`, and `>` symbols. The successful payload utilized a newline character (`%0A`) and an `else` block to bypass the application's conditional logic, ultimately triggering an `alert('XSS')` and earning a $1000 bounty. |
| 2019-01-15 2019 | Excess XSS: A comprehensive tutorial on cross-site scripting beginner | Tutorial on Cross-Site Scripting (XSS) vulnerabilities, explaining how attackers exploit websites to inject malicious JavaScript into user browsers. It details three types of XSS attacks: Persistent XSS, where malicious strings are stored in the database; Reflected XSS, where strings originate from user requests; and DOM-based XSS, with vulnerabilities in client-side code. The tutorial illustrates how attackers can steal cookies using `document.cookie`, record keystrokes with `addEventListener`, or trick users with fake login forms via DOM manipulation. |
| 2018-12-31 2018 | foospidy/payloads: Git All the Payloads! A collection of web attack payload intermediate | Library for aggregating web attack payloads, including XSS vectors, SQL injection payloads, path traversal, and command injection. It consolidates resources from various sources like SecLists, fuzzdb, and specific CTF event logs, facilitating easier access to a wide array of attack techniques. The `get.sh` script can be used to download and decompress external payload files. |
| 2018-09-15 2018 | Into the Borg – SSRF inside Google production network | OpnSec intermediate SSRF | The content discusses a security researcher's findings of a Cross-Site Scripting (XSS) vulnerability in Google Caja, a tool for embedding code securely. The researcher reported the XSS in March 2018, and it was fixed by Google in May 2018. The article likely delves into the details of the vulnerability, its impact, and the process of reporting and fixing it within Google's production network. |
| 2018-08-14 2018 | Unleashing an Ultimate XSS Polyglot · 0xSobky/HackVault Wiki intermediate | Polyglot is a technique for crafting cross-site scripting (XSS) payloads that execute across various injection contexts without modification. This resource details an ultimate XSS polyglot, demonstrating its effectiveness within double-quoted, single-quoted, and unquoted tag attributes, as well as within HTML comments, common HTML tags like `<svg>` and `<iframe>`, JavaScript strings, and event handlers. The polyglot utilizes clever syntax, including multi-line comments and URI schemes, to bypass common filter bypasses like `preg_replace('/\b(?:javascript:|on\w+=)/', '', PAYLOAD)`. |
| 2018-08-13 2018 | XSS Payloads beginner | The content provided is concise and simply states "XSS Payloads." This likely refers to a topic related to Cross-Site Scripting (XSS) attacks, where malicious code is injected into a website to exploit vulnerabilities. XSS payloads are the specific scripts or code used in these attacks. The summary suggests a focus on understanding and potentially mitigating XSS vulnerabilities by studying and being aware of common XSS payloads. |
| 2018-07-30 2018 | The Real Impact of Cross-Site Scripting | Dionach intermediate | Library of techniques for weaponizing Cross-Site Scripting (XSS) vulnerabilities, demonstrating practical attack vectors. This library details how XSS can lead to account hijacking via session cookie theft, credential harvesting by serving fake login pages, and sensitive data exfiltration or unauthorized operations like fund transfers. It also covers drive-by downloads using frameworks like BeEF and OWASP Xenotix, keylogger implementation, and port scanning against internal networks, all leveraging XSS flaws in applications like OWASP Broken Web Applications' Cyclone. |
| 2018-07-30 2018 | Cross site scripting XSS beginner | Cross-Site Scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive data, session hijacking, or defacement of websites. XSS attacks can be stored, reflected, or DOM-based. Prevention methods include input validation, output encoding, and implementing Content Security Policy (CSP). Regular security audits and staying updated on security best practices are crucial to protect against XSS attacks. → slideshare.net |
| 2018-07-30 2018 | Cross Site Scripting ( XSS) beginner | Talk on Cross-Site Scripting (XSS) vulnerabilities, detailing how attackers inject client-side code to steal cookies, access private information, or perform actions on behalf of users. It categorizes XSS into non-persistent, persistent, and DOM-based attacks and emphasizes server-side validation, sanitization, and output escaping as primary prevention methods. The talk also mentions web vulnerability scanners like Burp Suite for testing XSS flaws. → slideshare.net |
| 2018-07-15 2018 | [HTML] 666 lines of XSS vectors, suitable for attacking an API - Pastebin.c intermediate | Library containing 666 XSS vectors, including many variations using encoded characters and different HTML elements like `<script>`, `<img>`, `<audio>`, `<video>`, `<body>`, `<svg>`, `<iframe>`, and others with various event handlers. The vectors target common injection points and bypass techniques suitable for testing API and web application security. |
| 2018-07-03 2018 | Reflected Client XSS at Amazon.com intermediate | A bug at Amazon.com enables the theft of cookies from all Amazon domains, potentially redirecting visitors to a phishing login page. This reflected client XSS vulnerability poses a serious security risk by allowing unauthorized access to user data. |
| 2018-06-27 2018 | Reflected XSS on Stack Overflow intermediate | The content discusses a Reflected XSS vulnerability discovered on Stack Overflow by @newp_th. This type of vulnerability occurs when user input is not properly sanitized and allows malicious scripts to be executed in a victim's browser. It is important for websites to implement proper input validation and output encoding to prevent such attacks. |
| 2018-06-26 2018 | How to identify whether XSS is reflected or DOM based? intermediate | The content provided is a title mentioning how to distinguish between reflected XSS and DOM-based XSS. It appears to be a Reddit post with 5 votes and 4 comments, but the actual details or methods for identifying the two types of XSS attacks are not included in the summary. |
| 2018-06-26 2018 | DOM XSS Intro beginner | The post titled "DOM XSS Intro" on Reddit has received 7 votes and 1 comment. It likely introduces readers to the concept of DOM-based Cross-Site Scripting (XSS), a type of security vulnerability. The post may provide information or discussion on how this vulnerability can be exploited in web applications. |
| 2018-06-26 2018 | Reflected XSS via AngularJS Template Injection | Hostinger intermediate | The content is about a potential security vulnerability called Reflected XSS via AngularJS Template Injection. It seems to be a post on Reddit with 5 votes and 2 comments. The main focus is likely on discussing the risks and implications of this type of security issue within AngularJS applications. |
| 2018-06-26 2018 | How I Found Stored XSS in Yahoo! intermediate | The content titled "How I Found Stored XSS in Yahoo!" has garnered 17 votes and 4 comments on Reddit. |
| 2018-06-26 2018 | What is XSS? Cross-site Scripting Explained beginner | The content is a Reddit post titled "What is XSS? Cross-site Scripting Explained" with 5 votes and 0 comments. It likely discusses the concept of Cross-site Scripting (XSS), a type of security vulnerability where attackers inject malicious scripts into web pages viewed by other users. The post may explain how XSS works, its impact on web security, and ways to prevent it. |
| 2018-06-26 2018 | Self-XSS + CSRF to Stored XSS intermediate CSRF | Renwa from Kurdistan is excited to share their first write-up on infosec and Bugbounties. |
| 2018-06-26 2018 | The story behined the Strong XSS filter bypass! intermediate | The content provided is a title mentioning a strong XSS filter bypass. However, the content is incomplete as it only includes a greeting "Hi All" without any further information or details about the bypass. |
| 2018-06-26 2018 | Demonstrating Reflected versus DOM Based XSS intermediate | Tool demonstrating DOM-based XSS using OWASP Juice Shop, contrasting its exploitation with reflected XSS in Altoro Mutual. The resource provides a malicious server for proof-of-concept cookie theft and password recovery via JWT decoding and MD5 hashing. It highlights how DOM-based XSS bypasses browser and proxy protections, making it a more potent threat than reflected XSS for practical demonstrations. |
| 2018-06-15 2018 | How i converted SSRF TO XSS in jira. intermediate SSRF | The content discusses the author's interest in Bug Bounty programs, particularly focusing on finding security vulnerabilities like Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) in Jira. The author highlights their dedication to discovering new and intriguing vulnerabilities, continuously improving their reconnaissance skills. The main focus is on converting an SSRF vulnerability into an XSS vulnerability within the Jira platform. |
| 2018-06-14 2018 | Respect XSS beginner | Writeup detailing a cross-site scripting (XSS) vulnerability in Microsoft SharePoint, affecting both on-premises and online versions. The flaw leverages the "Follow Site" feature, where the `SiteName` GET parameter is reflected in JavaScript without proper encoding, allowing for payloads like `-confirm(document.domain)-`. This vulnerability was reported to Microsoft and resulted in a $2500 bounty. The writeup includes examples of vulnerable URLs and suggests Google dorking for identification. |
| 2018-06-13 2018 | How I found a stored XSS on thousands of webshops intermediate | The content discusses the discovery of a stored XSS vulnerability affecting thousands of webshops, which remains unresolved. |
| 2018-06-08 2018 | XSS using meta Tags intermediate | The content mentions an invitation to join a social platform that allows users to earn money by engaging with posts. |
| 2018-06-08 2018 | DEV XSS Protection bypass made my quickest bounty ever!! intermediate | Yeasir Arafat shares about a successful XSS attack that led to his quickest bounty ever. He highlights the importance of sharing knowledge and experiences in the cybersecurity community. |
| 2018-06-07 2018 | Paulos Yibelo - Blog: THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS intermediate | Writeup exploring advanced XSS techniques beyond cookie theft, demonstrating how to maintain access and achieve lateral movement. It details exploiting application features like OAuth integrations and the Facebook Graph API Explorer to gain persistent, high-privilege access, even against targets with strong security mitigations like HTTPOnly cookies and CSP. The article highlights common web application misconfigurations that empower client-side attacks, including issues with password resets, session fixation, and service workers, and discusses how blind XSS can lead to RCE. |
| 2018-06-06 2018 | UltimateHackers/XSStrike: XSS Scanner equipped with powerful fuzzing engine intermediate | Library for detecting Cross Site Scripting (XSS) vulnerabilities. XSStrike features four parsers, an intelligent payload generator, a powerful fuzzing engine, and a fast crawler. It analyzes responses and crafts payloads based on context analysis and fuzzing, going beyond simple injection. Capabilities include reflected and DOM XSS scanning, WAF detection and evasion, and scanning for outdated JavaScript libraries. It integrates with tools like Photon, Zetanize, and Arjun. |
| 2018-06-05 2018 | Blind XSS for beginners beginner | The content discusses Blind XSS for beginners, addressing common questions like tool recommendations, registering in XSShunter, and techniques for exploitation. It highlights the interest in Blind XSS and the need for guidance on tools and procedures. |
| 2018-05-28 2018 | Blind XSS for beginners beginner | The content discusses Blind XSS for beginners, addressing common questions about tools, registration on XSShunter, and techniques like payload spraying. It highlights the interest and inquiries received via Twitter on these topics. |
| 2018-05-26 2018 | https://medium.com/bugbountywriteup/file-upload-xss-patched-83ea55bb9a55?source=userActivityShare-90814179aa21-1527302452 intermediate | The content discusses a bug bounty write-up detailing a file upload XSS vulnerability that was successfully patched. The author describes the discovery of the vulnerability, the impact it could have had, and the steps taken to responsibly disclose it to the affected party. The post highlights the importance of thorough security testing and responsible disclosure in the bug bounty community. |
| 2018-05-19 2018 | 900$ XSS in yahoo ( Recon Wins ) news | The content provided is too brief to summarize as it only includes a greeting without any additional information or context. |
| 2018-05-17 2018 | 7500$ worth DOM XSS in Facebook Mobile Site – Johns Simon – Medium intermediate | The content discusses a security researcher discovering a $7500 worth DOM-based Cross-Site Scripting (XSS) vulnerability in Facebook's mobile site while targeting Adobe's website for vulnerabilities. The researcher found that Adobe was using Facebook and Gmail logins for sign-ins, leading to the discovery of the XSS flaw. This vulnerability could potentially allow attackers to execute malicious scripts on the site. |
| 2018-05-07 2018 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP beginner | Reference for preventing XSS vulnerabilities, this cheat sheet details crucial defense techniques including output encoding and HTML sanitization. It addresses specific framework gaps in React, Angular, and others, emphasizing the importance of understanding framework behaviors and potential escape hatches like `dangerouslySetInnerHTML` and `bypassSecurityTrustAs*`. The document covers context-specific encoding for HTML, HTML attributes, JavaScript (using `\xHH` format), CSS (within property values), and URLs (using `%HH` format), recommending safe sinks like `.textContent`, `.setAttribute`, and `style.property = x` when applicable. → owasp.org |
| 2018-04-30 2018 | Steal CSRF/Auth/Unique key Header with XSS intermediate CSRF | The content is about stealing CSRF, authentication, or unique key headers using Cross-Site Scripting (XSS) attacks. It suggests a method to exploit vulnerabilities in web applications by injecting malicious scripts to intercept sensitive information. This technique allows attackers to bypass security measures and gain unauthorized access to user data or perform malicious actions. It highlights the importance of protecting against XSS attacks to safeguard sensitive information and prevent unauthorized access to web applications. |
| 2017-12-12 2017 | How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords « Null intermediate | Library for creating XSS cookie stealers in JavaScript. This guide details constructing a script that injects JavaScript into a webpage to capture user cookies containing credentials. It demonstrates embedding JavaScript within HTML and using PHP on a controlled server to receive and log stolen cookie data, with a PHP test server setup for local verification. → null-byte.wonderhowto.com |
| 2017-12-02 2017 | Sniping Insecure Cookies with XSS intermediate | Writeup details how insecure cookie flags (missing `HttpOnly` and `Secure`) coupled with a Cross-Site Scripting (XSS) vulnerability on an accounting web application allowed for the theft of JWT session tokens. The analysis demonstrates that once captured via JavaScript, these tokens, sent in custom `X-AUTH-TOKEN` headers, could be used to impersonate users, including administrators, due to the JWT's structure and the lack of a server-side token invalidation mechanism. |
| 2017-12-02 2017 | bypassing htmlentities() - Paulos Yibelo - Blog intermediate | The content provided is a title mentioning bypassing htmlentities() by Paulos Yibelo on a blog. The title suggests that the blog post likely discusses a method or technique related to bypassing the htmlentities() function. It hints at a potential security or coding topic where the author may be sharing insights on how to circumvent or work around the htmlentities() function in web development or programming. |
| 2017-06-20 2017 | XSSer automated framework to detect, exploit and report XSS vulnerabilities beginner | XSSer is an automated framework designed to identify, exploit, and report XSS vulnerabilities. It includes tools like XSS Scanner and Vulnerability Scanner to detect and exploit XSS flaws. The framework also supports Hash Injection techniques. → gbhackers.com |
| 2017-04-08 2017 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On Securit beginner | XSSight is an automated tool that functions as both an XSS scanner and payload injector. It helps detect and exploit cross-site scripting vulnerabilities through payload injection. The tool is designed for vulnerability scanning and identifying XSS issues on websites. → gbhackers.com |
| 2017-03-31 2017 | HTML5 Security Cheatsheet beginner | The content provided is a title mentioning an "HTML5 Security Cheatsheet." It suggests that there may be a resource or guide available that focuses on security considerations specific to HTML5. The title implies that the cheatsheet may contain essential information, tips, or best practices related to securing HTML5 applications or websites. |
| 2017-03-07 2017 | How I Stole Plunker Session Tokens With Angular Expressions intermediate | Writeup detailing an Angular Expression Injection vulnerability in Plunker, where user input in the description field was evaluated by AngularJS. This allowed attackers to craft malicious expressions that could steal session IDs by redirecting requests to a custom endpoint containing the ID. The vulnerability was exploited by manipulating the `session.activeBuffer.content` to embed an `<img>` tag with the session ID as a URL parameter, effectively exfiltrating the token. Plunker fixed the issue by adding the `ng-non-bindable` directive to prevent expression evaluation. |
| 2017-03-07 2017 | XSS without HTML: Client-Side Template Injection with AngularJS : netsec intermediate | The Reddit post titled "XSS without HTML: Client-Side Template Injection with AngularJS" in the netsec subreddit has garnered 177 votes and 10 comments. The post likely discusses a security vulnerability related to AngularJS that allows for client-side template injection without the use of HTML, potentially leading to cross-site scripting (XSS) attacks. The content appears to be focused on raising awareness about this security issue within the AngularJS framework. |
| 2017-03-07 2017 | Angular Template Injection Payloads intermediate | Library of Angular template injection payloads, including techniques for exploiting versions 1.3.0 through 1.6.0. This resource details payloads utilizing JavaScript and SVG for code execution, such as `{{constructor.constructor('alert(1)')()}}`, `{{7*7}}`, and SVG `<animate>` tags with `javascript:alert(1)`. It also references specific Angular issues like #14939 and #11290. |
| 2017-03-07 2017 | PortSwigger Web Security Blog: Adapting AngularJS Payloads to Exploit Real intermediate | Writeup detailing techniques for adapting AngularJS template injection payloads to bypass filtering and encoding, specifically targeting Piwik and Uber. The article demonstrates exploiting Piwik's handling of referral queries and Uber's documentation site, showcasing payload adaptations using Unicode escapes, `concat` instead of `valueOf`, string manipulation via `toString` and array joins, and exploiting JavaScript sandbox limitations. It highlights successful exploitation against AngularJS versions 1.2.26 and 1.2.0, noting rapid patching by Uber. |
| 2017-03-07 2017 | PortSwigger Web Security Blog: XSS without HTML: Client-Side Template Injec intermediate | Library for detecting and exploiting Angular Template Injection vulnerabilities in AngularJS applications. It details how naive usage of the popular JavaScript framework can lead to Cross-Site Scripting (XSS) by enabling the execution of Angular expressions. The library covers the development of a sandbox escape technique, specifically for Angular versions 1.3.1+ and 1.4.0+, by backdooring the `String.fromCharCode` function using `Array.prototype.join` to inject arbitrary JavaScript, including a demonstration of bypassing the Angular sanitizer. |
| 2017-03-07 2017 | ng-owasp: OWASP Top 10 for AngularJS Applications intermediate | The content discusses the OWASP Top 10, a list of critical web application security risks, and how they apply to AngularJS applications. It explores security vulnerabilities specific to AngularJS, aiming to address and mitigate these risks. The focus is on understanding and implementing security measures to protect AngularJS applications from potential threats outlined in the OWASP Top 10 list. → slideshare.net |
| 2016-05-19 2016 | What is Cross-site Scripting and How Can You Fix it? beginner | Library summarizing Cross-Site Scripting (XSS) vulnerabilities, detailing common attack vectors like stored, reflected, and DOM-based XSS. It explains how unsanitized user input leads to JavaScript injection, enabling attackers to steal session cookies, deface websites, and perform actions like phishing and identity theft through techniques like payload injection via script tags and redirecting users to malicious URLs. → acunetix.com |
| 2016-02-10 2016 | Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML - C intermediate | The blog discusses preventing XSS (Cross Site Security) attacks in ASP.NET MVC by utilizing ValidateInput and AllowHTML features. It aims to provide insights on how to enhance security measures to mitigate XSS vulnerabilities in ASP.NET MVC applications. |
Frequently Asked Questions
- What are the three types of XSS?
- The three main types are Reflected XSS (payload delivered via a URL and immediately reflected in the response), Stored XSS (payload persisted in the application database and served to other users), and DOM-based XSS (payload executed entirely in the browser via client-side JavaScript without a server round-trip).
- How do you prevent cross-site scripting?
- Key defenses include output encoding (HTML, JavaScript, URL, and CSS contexts), Content Security Policy (CSP) headers, using frameworks that auto-escape by default (React, Angular), input validation, and the HttpOnly flag on session cookies to limit the impact of successful attacks.
- Why is XSS still so common?
- XSS persists because web applications have many injection points (URL parameters, form fields, headers, file uploads), developers must encode output correctly for every context, and modern JavaScript frameworks can be bypassed through dangerouslySetInnerHTML, template injection, or prototype pollution.
Weekly AppSec Digest
Get new resources delivered every Monday.