appsec.fyi

A somewhat curated list of links to various topics in application security.

Cross-Site Scripting (XSS)

$20000 Facebook DOM XSS
Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing
Documenting the impossible: Unexploitable XSS labs
Uber Bug Bounty: Turning Self-XSS into Good-XSS
XSS Cheat Sheet
Open-redirect to Account Takeover.
Samesite by Default and What It Means for Bug Bounty Hunters
Get Reflected XSS within 3 minutes
Cross-Site Script Inclusion
TR | Steal CSRF Tokens with simple XSS
Testing for XSS (Like a KNOXSS)
CORS Enabled XSS
XSS in GMail’s AMP4Email via DOM Clobbering
Web Security Academy
Cross-site scripting
XSS HunterBETA
masatokinugawa/filterbypass
The misunderstood X-XSS-Protection
Winning Intigriti's XSS Challenge
File Upload XSS
hakluke/weaponised-XSS-payloads
Making XSS a bit more discoverable with KNOXSS
Show me thy XSS abilities, polyglot!
Cross Site Scripting (XSS) Payload Generator
Advanced Blind XSS Payloads
XSSed my way to 1000$
XSS in hidden input fields
Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 1
Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 3
A comprehensive tutorial on cross-site scripting
payloads
Redirecting
DOM-based XSS – The 3 Sinks
0xsobky/HackVault
swisskyrepo/PayloadsAllTheThings
XSS Payloads
The Real Impact of Cross-Site Scripting
Cross site scripting XSS
Cross Site Scripting ( XSS)
XSS Cheat Sheet
Google Assistant Bug Worth $3133.7 !
Hands On training | Google XSS Game
666 lines of XSS vectors, suitable for attacking an API
Reflected Client XSS at Amazon.com
Reflected XSS on Stack Overflow
How to identify whether XSS is reflected or DOM based?
DOM XSS Intro
Reflected XSS via AngularJS Template Injection | Hostinger
How I Found Stored XSS in Yahoo!
What is XSS? Cross-site Scripting Explained
Self-XSS + CSRF to Stored XSS
The story behined the Strong XSS filter bypass!
Demonstrating Reflected versus DOM Based XSS
How i converted SSRF TO XSS in jira.
Respect XSS
How I found a stored XSS on thousands of webshops
Compromising CMSes with XSS
XSS using meta Tags – Muhammad Ibraheem – Medium
DEV XSS Protection bypass made my quickest bounty ever!!
How I found an XSS vulnerability within the response field?
THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS
XSS Challenge I
UltimateHackers/XSStrike
Calling Remote Script With Event Handlers
The 7 Main XSS Cases Everyone Should Know
Blind XSS for beginners
XSS and RCE
Blind XSS for beginners
File Upload XSS
900$ XSS in yahoo ( Recon Wins )
7500$ worth DOM XSS in Facebook Mobile Site – Johns Simon – Medium
XSS (Cross Site Scripting) Prevention Cheat Sheet
Steal CSRF/Auth/Unique key Header with XSS
Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss)
Stealing HttpOnly Cookie via XSS
How To: Write an XSS Cookie Stealer in JavaScript to Steal Passwords
Sniping Insecure Cookies with XSS
bypassing htmlentities()
Taking note: XSS to RCE in the Simplenote Electron client
XSStrike - Detect and exploit XSS vulnerabilites
XSS (Cross Site Scripting) Prevention Cheat Sheet
Rails Quiz: XSS Edition
XSSer – Automated Framework Tool to Detect and Exploit XSS vulnerabilities
mandatoryprogrammer/xssless
XSSight – Automated XSS Scanner And Payload Injector
HTML5 Security CheatsheetWhat your browser does when you look away...
Cross Site Scripting Payloads ≈ Packet Storm
Collection of Cross-Site Scripting (XSS) Payloads
How I Stole Plunker Session Tokens with an Angular Expression
XSS without HTML: Client-Side Template Injection with AngularJS
Angular Template Injection Payloads
Adapting AngularJS Payloads to Exploit Real World Applications
xss-polyglots
XSS without HTML: Client-Side Template Injection with AngularJS
ng-owasp: OWASP Top 10 for AngularJS Applications
Case Study of JavaScript Engine Vulnerabilities
Bypass XSS blacklist “<”, “>”, “&” input nvarchar
Accurate XSS Detection with BurpSuite and PhantomJS
Stealing passwords from McDonald's users