A somewhat curated list of links to various topics in application security.

Cross-Site Scripting (XSS)

The XSS hunter's secret weaponFind, report and stay up-to-date on XSS vulnerabilities with BXSSHUNTER, the ultimate tool for professionals. Discover cross-site scripting (XSS) vulnerabilities using BXSSHUNTER.
Sponsor ssl/ezXSSFor a demo visit with password demo1234. Please note that some features might be disabled in the demo version.
Get bounties with Blind XSS
Get Bounties with Blind XSSDirty Blind Xss framework is the most advanced framework. It is used by Bug Hunters and Penetration Testers to locate Stored/Blind XSS. It is mainly design to find out Stored/Blind Xss but also very useful to find some other bugs like SSRF, Blind HTML Injection, Blind XXE.
An unusual way to find XSS injection in one minuteHi there! I think that many developers have heard that you can’t trust any user input, and indeed it is. However, there are some places that are often overlooked, which lead to vulnerabilities. And one of those places is ……. registration 🤔.
XSS Hunter ExpressThe fastest way to set up XSS Hunter to test and find blind cross-site scripting vulnerabilities. To set up XSS Hunter Express, modify the docker-compose.yaml file with your appropriate settings/passwords/etc.
Digging Deep Into Dom XSSOkay let’s tackle this beast, as i am writing this, i’m trying to prepare you for what’s coming because this will not be easy at all. Burp suite pro makes it somewhat easier but even then, you still need to be able to interpret the scan results and exploit the vulnerability.
The Ultimate Guide to Finding and Escalating XSS BugsWhat is XSS? Cross-Site Scripting (XSS) is the most common vulnerability discovered on web applications. It occurs when an attacker is able to execute client-side JavaScript in another user’s browser.  XSS is a very interesting and dynamic bug class for a number of reasons.
QuickXSSBash Script to Automate XSS using Waybackurls, GF, GF Patterns and Dalfox. Install Go in your Machine and then install required Tools.
Electron JS Browser To Find XSS Vulnerabilities AutomaticallyInstall Node.js and npm ( or (sudo apt install npm) Download this repo files or (git clone https://github.
Stored XSS in icloud.comHello Guys hope you all are doing well, fine and healthy during this hard time. Hello, I am Vishal Bharad, from India and working as Penetration Tester, Now today I am going to share how I found Stored Cross-Site Scripting (XSS) in
How JavaScript works: 5 types of XSS attacks + tips on preventing themThis is post # 21 of the series, dedicated to exploring JavaScript and its building components.
Stealing User Information Via XSS Via Parameter PollutionSo, I was wandering and suddenly this tweet popped up in my news feed. Then, I decided to give myself a new start as it’s 2021 🎉. I logged in to my bugcrowd account and picked a suitable target (on which I’ve found bugs in the past) according to my skills.
$20000 Facebook DOM XSSThe window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it. — Mozilla postMessage Documentation
Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration TestingXSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable. Here we are going to see about most important XSS Cheat Sheet. What is XSS(Cross Site Scripting)? An attacker can inject untrusted snippets of JavaScript into your application without validation.
Documenting the impossible: Unexploitable XSS labsGareth Heyes Researcher @garethheyes Have you ever found some risky behavior, but couldn't quite prove it was exploitable? Our XSS cheat sheet contains virtually every exploit technique we know of, but what should you do if you can't find a technique for your scenario? Did we just forget to mention
Uber Bug Bounty: Turning Self-XSS into Good-XSSNow that the Uber bug bounty programme has launched publicly, I can publish some of my favourite submissions, which I’ve been itching to do over the past year. This is part one of maybe two or three posts.
XSS Cheat SheetThis 32-page booklet includes 100+ Cross-Site Scripting payloads and techniques with clear directions in several possible scenarios to help you with modern XSS. Sample here. 1. Basics 2. Advanced 3. Bypass 4. Exploiting 5. Extra 6. Brutal
Open-redirect to Account Takeover.Hi everyone this is my first writeup about my first bug and I want to share how I escalated open redirect to Account Takeover. Let’s go This was the URL which redirects to the given page after login but the issue was that if I pass to next parameter it will redirect to google.
Samesite by Default and What It Means for Bug Bounty HuntersYou have probably heard of the SameSite attribute addition to HTTP cookies since Chrome 51 (and a specification thereafter). It was advertised as a CSRF killer. This attribute is going to be set by default for all cookies in Chrome 80 (February 4, 2020).
Get Reflected XSS within 3 minutesHi guys. I found xss on 8x8 within 3 minutes and I want to share it step by step. I am writing these write-ups for beginners like me. I think I will learn more as I write and I love it. Descend as deep as you can.
Cross-Site Script InclusionTwo key components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention – the OWASP Top 10.
Testing for XSS (Like a KNOXSS)Testing for Cross-Site Scripting (XSS) might seem easy at first sight, with several hacking tools automating this process. But regardless of how tests to find a XSS are performed, automated or manually, here we will see a step-by-step procedure to try to find most of the XSS cases out there.
CORS Enabled XSSMisconfigured CORS (Cross Origin Resource Sharing) headers can’t be abused to trigger javascript in a target website. But there’s an interesting and useful way to use it in an existing XSS scenario. One page websites, by their very nature, make heavy use of javascript.
XSS in GMail’s AMP4Email via DOM ClobberingThis post is a write up of an already-fixed XSS in AMP4Email I reported via Google Vulnerability Reward Program in August 2019. The XSS is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.
Cross-site scriptingCross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
XSS HunterBETAIf this is how you hunt for Cross-Site Scripting (XSS)... ...
Browser's XSS Filter Bypass Cheat SheetBrowser's XSS Filter Bypass Cheat Sheet 目次 XSS Auditor IE/EdgeのXSSフィルター XSS Auditor 任意のタグを書けるXSSがある https://bugs.
The misunderstood X-XSS-ProtectionA few days ago, I made a poll on Twitter to see what people think is the worst setting for the XSS filter/auditor.
File Upload XSSA file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere, providing more chances to find a developer’s mistake. If it happens to be a self XSS, just take a look at the previous post.
Weaponised XSS PayloadsXSS payloads designed to turn alert(1) into P1. In this repository you will find a bunch of JavaScript files which can be loaded into an XSS payload in order to perform sensitive functions on popular CMS platforms in the context of the victim's browser.
Show me thy XSS abilities, polyglot!So its 0045 EAT and im up reading the OWASP Testing Guide V4. I have always used OWASP as my appsec bible, but i have never gone through this whole book. And boy how much wonder it packs. Anywayyyyyyyy, looking back, i discovered a duplicate vulnerability on an XYZ platform (on hackerone).
Cross Site Scripting (XSS) Payload GeneratorThis post will help you to evade some of those tricky cross site scripting restrictions with the help of a new tool I’ve pushed to our XSS Payloads repository.
Advanced Blind XSS PayloadsWhen auditing applications, sometimes context is lost, and issues are missed. The same will be true when looking for Blind Cross-Site-Scripting (bXSS). Last year I blogged about AngularJS bXSS and how you can leverage AngularJS to execute JavaScript for you in a bXSS context.
XSSed my way to 1000$Hello Guys, I recently encountered with an amazing bypass to an endpoint of a program on Synack. Although the bug wasn’t as hard to find, a minimalistic programming knowledge helped me get over 1000$ on this program.
XSS in hidden input fieldsAt PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element:
Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 1This series of blogposts show how you can identify DOM XSS issues using Sboxr on Single Page or JavaScript rich applications. As examples, we solved the 10 exercises at the DOM XSS playground at and created simple Proof of Concept exploits for the detected issues.
Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 3This is Part 3 of a series of blogposts to show how you can identify DOM XSS issues using Sboxr on Single Page or JavaScript rich applications. As examples, we solved the 10 exercises at the DOM XSS playground at and created simple Proof of Concept exploits for the detected issues.
A comprehensive tutorial on cross-site scriptingExcess XSS A comprehensive tutorial on cross-site scripting Created by Jakob Kallin and Irene Lobo Valbuena Part One: Overview What is XSS? Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser.
payloadsGit All the Payloads! A collection of web attack payloads. Pull requests are welcome! Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.
Into the Borg – SSRF inside Google production networkIn March 2018, I reported an XSS in Google Caja, a tool to securely embed arbitrary html/javascript in a webpage. In May 2018, after the XSS was fixed, I realised that Google Sites was using an unpatched version of Google Caja, so I looked if it was vulnerable to the XSS.
DOM-based XSS – The 3 SinksThe most common type of XSS (Cross-Site Scripting) is source-based. It means that injected JavaScript code comes from server side to execute in client side.
0xsobky/HackVaultWhen it comes to testing for cross-site scripting vulnerabilities (a.k.a. XSS), you’re generally faced with a variety of injection contexts where each of which requires you to alter your injection payload so it suites the specific context at hand.
swisskyrepo/PayloadsAllTheThingsGitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
The Real Impact of Cross-Site ScriptingCross-site scripting (XSS) is probably the most prevalent high risk web application vulnerability nowadays, and yet it is still one of the most overlooked by developers and defenders alike.
Cross site scripting XSSUpcoming SlideShare Loading in …5 × Cross site scripting XSS 1. Cross Site Scripting - XSS 2. Overview • One of the most common application-layer web attacks. • Commonly targets scripts embedded in a page which are executed on the client-side rather than on the server-side. 3.
Cross Site Scripting ( XSS)Upcoming SlideShare Loading in …5 × Cross Site Scripting ( XSS) 2.
  • Cross Site Scripting
  • XSS is a vulnerability which when present in websites or web applications, allows malicious users (Hackers) to insert their client side code (normally JavaScript) in those web pages.
XSS Cheat Sheet
Google Assistant Bug Worth $3133.7 !Hi hackers! Long time no see.. My college Prof. asked me to conduct some useful workshop for students. After a quick search, I figured out on the workshop as “Making apps using Google Assistant”.
Hands On training | Google XSS GameIn a previous post, I talked about XSS aka Cross Site Scripting. Hope you all got a basic knowledge now. In this post, I am giving you more information on XSS with a hands on training on the Google XSS Game. You can find a video on how to solve this at the bottom of the page.
666 lines of XSS vectors, suitable for attacking an APIa guest 12,381 Never Not a member of Pastebin yet? Sign Up, it unlocks many cool features! javascript:alert(1);javascript:alert(1);javascript:alert(1);
Reflected Client XSS at Amazon.comAre you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Background The last 2 months I’ve been trying to improve my frontend & backend skills by developing https://Scroll.
Reflected XSS on Stack OverflowThis is @newp_th. Today I want to share with you a Reflected XSS which I found in Stack Overflow. While i was testing some other domain and doing spider activity in burpsuite, I checked issues tab whether any issues were popped up.
How to identify whether XSS is reflected or DOM based?You'd have to check the page source and see where the your code is being executed. Compare the code the browser receives from the network with the code the browser displays after running scripts. Reflected XSS should be easy to find, but DOM XSS can be tricky sometimes.
DOM XSS Intro7
Reflected XSS via AngularJS Template Injection | Hostinger7
How I Found Stored XSS in Yahoo!16
What is XSS? Cross-site Scripting Explained5What is XSS? Cross-site Scripting Explained
Self-XSS + CSRF to Stored XSSHola, this is Renwa from Kurdistan i’m glad to write my first write-up about infosec and Bugbounties.
The story behined the Strong XSS filter bypass!Yeasir Arafat again here to share the latest finds Sharing is Caring!! Today's topic is about to bypassing XSS filters on a Domain & hosting company who runs a public bug bounty program.
Demonstrating Reflected versus DOM Based XSSUpdate April 2021: Some changes to the heroku Juice Shop app have broken this demo.  The script payload no longer works for Juice shop, however there are other XSS payloads that do work, such as payloads that use onerror attribute of img tag.
How i converted SSRF TO XSS in jira.Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.) Now, i een through lots of subdomains and i was specifically looking for any jira environment , and i found one.
Respect XSSIn a matter of few minutes, I found 2 XSS issues in their web application and reported these (#130596 & #130733) via Hackerone. One of the XSS is still live. Open the following URL in Firefox browser.
How I found a stored XSS on thousands of webshopsI’d like to share with you the story of how I found a common misconfiguration in IBM’s Websphere Commerce, which can lead to a very interesting stored cross site scripting bug, affecting all users of some high-traffic sites.
Compromising CMSes with XSSCMSes (Content Management Systems) are a perfect target for XSS attacks: with their module installation features and the possibility to know all the requests done by a legit administrator of the system previously, it’s pretty easy to mount a CSRF (Cross-Site Request Forgery) attack against him/her
XSS using meta Tags – Muhammad Ibraheem – MediumSo i was invited by a friend to join a Social Website that helps people to earn money by liking, sharing, updating posts. As a Pentester, i thought let’s try to find some vulnerabilities. I found many vulnerabilities (mentioned in the last of article).
DEV XSS Protection bypass made my quickest bounty ever!!So, this time I was able to bypass protection also able to manage some bounty with quick time.I have got some cool swag and little bounty to them before reporting this XSS to them :) .I had found HTML injection on their public discussion.At that time I was able to inject malicious script with HTML.
How I found an XSS vulnerability within the response field?I have been frustrated for quite some time, haven’t found a new way to find vulnerabilities. Have been working on CSRF for quite some time now, but there is still a long way to go till I start finding out some note-worthy bugs using that technique.
THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS... And there we have it ladies and gents, while we may not have the cookie, we still can get an almost invisible access to an application we can query full read/write privileges as the user.
XSS Challenge ISome weeks ago, a XSS challenge was launched: the goal was to pop an alert(1) box in latest Google Chrome at that time (version 53). Code was minified (made by just one continuous line) which always brings interesting possibilities to handle input injections.
UltimateHackers/XSStrikeXSStrike is an advanced XSS detection suite. It has a powerful fuzzing engine and provides zero false positive result using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads. It is intelligent enough to detect and break out of various contexts.
Calling Remote Script With Event HandlersAfter a tester or attacker is able to pop an alert box, the next step is to call an external script to do whatever he/she wants to do with the victim. In scenarios where XSS is not possible with “ as an demonstration of such vulnerability (PoC – Proof of Concept).
Blind XSS for beginnersWhat is Blind XSS? It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.
XSS and RCERCE (Remote Code Execution) is a critical vulnerability which usually is the final goal of an attack. With code execution, it’s possible to compromise servers, clients and entire networks.
Blind XSS for beginnersWhat is Blind XSS? It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.
File Upload XSSThe web application allows file upload and was able to upload a file containing HTML content. When HTML files are allowed, XSS payload can be injected in the file uploaded but this vulnerability will only work in linux because windows OS doesn’t allow the tags in file name.
900$ XSS in yahoo ( Recon Wins )For those who expects special bypass or xss related stuff this is not about the xss i found which was easy hit, this is about the recon i did and the help i got from Knoxss to report this vulnerability to yahoo.
7500$ worth DOM XSS in Facebook Mobile Site – Johns Simon – Medium7500$ worth DOM XSS in Facebook Mobile SiteI was recently targeting adobe website for any vulnerabilities.I came to know that they were using (facebook/gmail) login to sign in instantly.when i clicked the ‘signin with facebook’,Facebook app login page was loaded.
XSS (Cross Site Scripting) Prevention Cheat SheetThis article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack.
Steal CSRF/Auth/Unique key Header with XSSIn fig: 1 You can see that there is a CSRF-token header presence in the website. Now we are going to steal it. Okay elow is the code which steals the token header and send it to the attacker’s server.
Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss)But i had noticed that application was not using the x-frame header. so thought lets check for click jacking. ! and yeah ! application was vulnerable with click jacking. Here is the Click jacking which is chained with self xss which grabs victim’s cookies.
Stealing HttpOnly Cookie via XSSIt’s very rarely that i write about my findings , But i decided to share this which may help you while writing pocs.
How To: Write an XSS Cookie Stealer in JavaScript to Steal PasswordsJavaScript is one of the most common languages used on the web. It can automate and animate website components, manage website content, and carry out many other useful functions from within a webpage.
Sniping Insecure Cookies with XSSIn this post I want to talk about improper implementation of session tokens and how one XSS vulnerability can result in full compromise of a web application. The following analysis is based on an existing real-life web application.
bypassing htmlentities()Well I don’t know how to break it down for you, you just can’t break out of it. (if the function is used properly and exactly where it should). But most developers don’t use it the right way, since it’s like a norm for some developers to not use built-in functions properly.
Taking note: XSS to RCE in the Simplenote Electron clientOriginally released in 2013, Electron is a framework for creating native desktop products with JavaScript, HTML, and CSS. Since then, companies such as Microsoft and Slack have built Electron into their development process.
XSStrike - Detect and exploit XSS vulnerabilitesWe’ll attempt to show you how to build your own Pwn Phone running the Kali operating system and our  AOPP (Android Open Pwn Project)   i...
XSS (Cross Site Scripting) Prevention Cheat SheetThis article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack.
Rails Quiz: XSS EditionCross-site scripting (XSS) is a type of computer security vulnerability that enables an attacker to inject code into a web page. When a user later visits that web page the code is executed in that user’s browser.
XSSer – Automated Web Pentesting Framework Tool to Detect and Exploit XSS vulnerabilitiesXSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable for XSS. An attacker can inject untrusted snippets of JavaScript into your application without validation.
mandatoryprogrammer/xsslessAn automated XSS payload generator written in python. This is an example XSS payload output (uncompressed) that parses CSRF tokens and uploads a binary all via XSS!
XSSight – Automated XSS Scanner And Payload InjectorXSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable. An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.
HTML5 Security CheatsheetWhat your browser does when you look away...HTML5 Security CheatsheetWhat your browser does when you look away...
Cross Site Scripting Payloads ≈ Packet Storm_________ _________.__ __ _________ .__ __ .
Collection of Cross-Site Scripting (XSS) PayloadsHere is a compiled list of Cross-Site Scripting (XSS) payloads, 298 in total, from various sites. These payloads are great for fuzzing for both reflective and persistent XSS.
How I Stole Plunker Session Tokens with an Angular ExpressionRecently I’ve been spending a lot of time looking into the vulnerabilities happening with some AngularJS implementations. The biggest problem being: mixing server side templates with client side templates.
XSS without HTML: Client-Side Template Injection with AngularJSGreat write-up, thanks. To prevent XSS, user-supplied input such as < or " must be encoded differently in your output depending on whether it's outside an HTML tag, inside a tag definition or part of an attribute value.
Angular Template Injection Payloads1.3.2 and below {{7*7}} 'a'.constructor.fromCharCode=[].join; 'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e'; {{ 'a'.constructor.prototype.charAt=[].join; $eval('x=""')+'' }} {{ 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)')+'' }} {{constructor.
Adapting AngularJS Payloads to Exploit Real World ApplicationsEvery experienced pentester knows there is a lot more to XSS than - filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different.
xss-polyglotsA polyglot is a payload that can be used in more than one context and still be treated as valid data. To learn more about polyglots check out this talk. The xss-polyglots package exports a function that returns an array of payloads.
XSS without HTML: Client-Side Template Injection with AngularJSAbstract Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection.
ng-owasp: OWASP Top 10 for AngularJS Applications
Case Study of JavaScript Engine VulnerabilitiesCase Study of JavaScript Engine Vulnerabilities V8 CVE Number Feature Keywords Credit CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot CVE-2014-3176 Array.concat Side Effect, OOB lokihardt CVE-2014-7927 Optimization asm.
Bypass XSS blacklist “<”, “>”, “&” input nvarcharI'm using some software that is blacklisting certain characters "<", ">", "&" for user submitted values. It isn't HTML encoding the values when displaying the submitted results (outputs all submitted results in a table).
Accurate XSS Detection with BurpSuite and PhantomJSEdit: You can see a video on how to leverage this tool (above) or visit our YouTube page - here. Cross Site Scripting (XSS) attacks occur when output from an application is not properly encoded, allowing a malicious user to inject and execute JavaScript code within the target application.
Stealing passwords from McDonald's usersBy abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user.
Using Javascript in CSSIs it possible to use Javascript inside CSS? If it is, can you give a simple example?
Cross Site Scripting without special charsI'm testing a web application and I found a XSS vulnerability. I can break a tag and inject some code to the application but nothing potentialy dangerous for the client.
Cross-site Scripting (XSS)Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
The XSS Sandbox
Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTMLWhat is XSS? How can we prevent the same in MVC?