Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS occurs when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.
XSS remains one of the most prevalent web vulnerabilities, appearing in everything from search bars to user profile fields. The three main variants — Reflected, Stored, and DOM-based — each have distinct attack surfaces. Reflected XSS executes via a crafted URL, Stored XSS persists in the application's database and fires for every visitor, and DOM-based XSS exploits client-side JavaScript that unsafely handles user input without any server round-trip.
The impact of XSS extends well beyond simple alert boxes. Attackers leverage it for session hijacking, credential theft, keylogging, phishing overlays, and as a pivot point for deeper exploitation. In bug bounty programs, Stored XSS on authenticated pages consistently pays well because it can be chained into account takeover.
Modern defenses include Content Security Policy (CSP), output encoding, and frameworks that auto-escape by default — but bypasses are discovered regularly, making XSS a constantly evolving attack surface.
This page collects research, bypass techniques, payloads, and real-world writeups covering all forms of cross-site scripting.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-29 NEW 2026 | CVE-2026-13536: Reflected XSS Vulnerability in GotoHTTP Remote Access Platform (reg.12x Endpoint) Analysis and Mitigation intermediate | CVE-2026-13536: Reflected XSS Vulnerability in GotoHTTP Remote Access Platform (reg.12x Endpoint) Analysis and Mitigation https://ift.tt/NIqGlkb → rescana.com |
| 2026-06-25 NEW 2026 | CVE-2026-10086: High-Severity XSS Vulnerability in GitLab Enterprise Edition Analytics Dashboard Analysis Impact and Mitigation Steps news 3 min read | Analysis of CVE-2026-10086, a high-severity XSS vulnerability in GitLab Enterprise Edition's Analytics Dashboard, details how authenticated attackers can inject JavaScript. This vulnerability, CWE-79, allows for session hijacking and privilege escalation by executing code in user contexts. Patched versions include 19.1.1, 19.0.3, and 18.11.6. While not yet observed in the wild, prompt patching and log review are advised, with potential mitigation by restricting dashboard access. → rescana.com |
| 2026-06-24 NEW 2026 | Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users news | A stored cross-site scripting (XSS) vulnerability has been discovered in Webmin, a web-based system administration tool. This flaw allows attackers to inject malicious scripts into the application, which can then be executed by other users, including those with root privileges. Successful exploitation could lead to unauthorized actions on the server, data theft, or complete system compromise. Users are strongly advised to update their Webmin installations to patch this critical security issue. → gbhackers.com |
| 2026-06-24 NEW 2026 | Critical Webmin Stored XSS Vulnerability Lets Untrusted Users Exploit Root Accounts intermediate | Critical Webmin Stored XSS Vulnerability Lets Untrusted Users Exploit Root Accounts https://ift.tt/8gMoQkc → cyberpress.org |
| 2026-06-23 NEW 2026 | CVE-2026-25860 turn XSS to RCE intermediate RCE | CVE-2026-25860 turn XSS to RCE |
| 2026-06-23 NEW 2026 | Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools intermediate 5 min read Bug Bounty | Writeup detailing WebExtension security vulnerabilities, including unverified external messages in React Developer Tools (CVE-2023-5654) allowing arbitrary URL fetching and unauthorized access to page capture APIs in Vue.js devtools (CVE-2023-5718) leading to screenshot data leakage. This research highlights risks inherent in the WebExtension architecture and its components, affecting cross-browser compatibility and user data. → snyk.io |
| 2026-06-22 NEW 2026 | Exploiting Auth0 Defaults in XSS Attacks - elttam intermediate 8 min read AuthN | Writeup detailing how XSS vulnerabilities in applications using Auth0 can be exploited. The article highlights the insecure implicit grant flow, enabled by default in Auth0, and demonstrates how it can be combined with other misconfigurations to pivot across tenant applications. Specifically, it shows how an attacker can leverage XSS to steal access tokens intended for a protected API, facilitating lateral movement within an Auth0 tenant. |
| 2026-06-21 2026 | Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) intermediate 3 min read Python | Reference detailing CVE-2024-22195, a cross-site scripting vulnerability in Jinja2 versions prior to 3.1.3. The vulnerability arises from the `xmlattr` filter when processing user input with spaces in keys, allowing attackers to inject arbitrary HTML attributes and potentially execute untrusted scripts. Mitigation involves upgrading to Jinja2 3.1.3 and utilizing tools like Snyk for continuous monitoring and detection of vulnerable dependencies in Python projects and Docker containers. → snyk.io |
| 2026-06-20 2026 | “Bug Bounty Bootcamp #48: OAuth + XSS ” intermediate AuthN Bug Bounty | This "Bug Bounty Bootcamp #48" article, titled "OAuth + XSS," explores a potent combination of vulnerabilities: OAuth and Cross-Site Scripting (XSS). The content suggests that by leveraging these two, attackers can achieve account takeovers, effectively describing it as an "ultimate account takeover one-two punch." The article is part of a series and can be found on InfoSec Write-ups. No specific bounty payout amount is mentioned. → infosecwriteups.com |
| 2026-06-19 2026 | Microsoft's Exchange Server Updates Fix OWA XSS Flaw news 2 min read | Library update for Microsoft Exchange Server addresses CVE‑2026‑42897, a cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA). This flaw allows remote attackers to execute malicious JavaScript by sending specially crafted emails. Updates are available for Exchange Server Subscription Edition, 2019, and 2016, with support requirements for older versions. Administrators should use the Exchange Health Checker script and install the latest cumulative and security updates. → petri.com |
| 2026-06-17 2026 | How to prevent log injection vulnerability in JavaScript and Node.js applications intermediate 6 min read | Library for preventing log injection vulnerabilities in JavaScript and Node.js applications, specifically detailing how attackers can manipulate input to inject malicious code into logs. It offers methods for sanitizing user inputs, using regex and libraries like validator.js, suggests careful consideration of what data to log, and recommends structured logging and specialized libraries such as pino over basic console.log. The entry also mentions the Snyk IDE extension for VS Code as a tool for detecting such vulnerabilities. → snyk.io |
| 2026-06-16 2026 | Automatically fix code vulnerabilities with AI intermediate 4 min read AI | Library for automatically fixing common security vulnerabilities, such as Cross-site Scripting (XSS) in Java applications, by leveraging a hybrid AI model. This tool, integrated into IDEs, goes beyond providing remediation advice by directly applying secure code fixes, exemplified in a Spring Boot application using the Thymeleaf template engine and the faker library. Unlike generative AI assistants that may introduce insecure code, this library uses a combination of generative AI, symbolic AI, and machine learning, trained on curated security research data, to ensure secure code generation. → snyk.io |
| 2026-06-14 2026 | MeshCentral: From XSS to RCE intermediate 8 min read RCE | Writeup detailing the exploitation of MeshCentral, moving from Cross-Site Scripting (XSS) to Remote Code Execution (RCE). The author demonstrates how an LLM, Claude Opus, was utilized to identify vulnerabilities and generate proof-of-concept exploits by analyzing the MeshCentral agent and server interactions. The process involved extracting agent credentials from local files to impersonate existing agents and ultimately achieve RCE, showcasing a practical application of AI in vulnerability research. |
| 2026-06-13 2026 | Six levels, one lesson: LLMs cannot keep a secret intermediate AI | GitHub's Secure Code Game Season 3, a six-level challenge, demonstrates that Large Language Models (LLMs) cannot keep secrets. The game involves prompt injection attacks against vulnerable AI assistants designed to hide information. Players craft attacks to extract these secrets, highlighting that system prompts are not a security measure. The content focuses on hands-on learning of AI security principles through this open-source, browser-based game. No bounty payout amounts are mentioned. → infosecwriteups.com |
| 2026-06-12 2026 | Chaining Stored XSS and CSRF in Typemill CMS: A Deep Dive into Attribute Injection intermediate CSRF | A security assessment of Typemill CMS uncovered a critical vulnerability chain combining Stored XSS and CSRF (CVE-2026–53468). An attacker can bypass frontend validation to inject malicious scripts into page metadata. This allows for the theft of admin sessions by exploiting attribute injection. This vulnerability impacts Typemill, a popular flat-file CMS built on PHP and the Slim framework, and poses a significant risk to its users. → infosecwriteups.com |
| 2026-06-10 2026 | Microsoft patches Exchange Server zero-day exploited in attacks news 2 min read | Patching advisory for CVE-2026-42897 details a critical spoofing vulnerability in Microsoft Exchange Server 2016, 2019, and SE. Exploitable remotely without privileges, it allows arbitrary JavaScript execution via specially crafted emails opened in Outlook Web Access. Microsoft urges immediate deployment of June 2026 Security Updates. CISA has added this actively exploited flaw to its known exploited vulnerabilities catalog, mandating swift patching for U.S. government agencies. → bleepingcomputer.com |
| 2026-06-08 2026 | Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts news | VMware products are affected by multiple stored cross-site scripting (XSS) vulnerabilities. These flaws allow attackers to inject and execute malicious scripts within the affected applications. Successful exploitation could lead to various security risks, including session hijacking, data theft, and unauthorized actions on behalf of users. Users are advised to consult VMware's security advisories for specific product and version information and to apply any available patches or workarounds promptly to mitigate these risks. → gbhackers.com |
| 2026-06-08 2026 | Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts news | VMware has addressed several stored cross-site scripting (XSS) vulnerabilities across its products. These flaws could enable attackers to inject malicious scripts into web applications, potentially leading to unauthorized access, data theft, or other harmful actions. The vulnerabilities were found in specific components of VMware's offerings, allowing for persistent script execution. Users are advised to update their VMware products to the latest versions to mitigate these security risks. The provided link offers detailed information on the affected products and the specific CVEs associated with these vulnerabilities. → cybersecuritynews.com |
| 2026-06-08 2026 | JavaScript Prototype Pollution Deep Dive : — Reconnaissance, Exploitation & Bug Bounty Guideline advanced RCE | This article provides a deep dive into JavaScript Prototype Pollution vulnerabilities, explaining the underlying prototype chain and its attack vectors. It covers reconnaissance methodologies, exploitation techniques ranging from XSS to Remote Code Execution (RCE), and real-world bug bounty case studies. The guide also delves into advanced exploit chains, tooling, automation, and defense strategies, offering a production-ready Python scanner. The content focuses on understanding and mitigating this complex JavaScript vulnerability. → infosecwriteups.com |
| 2026-06-08 2026 | From XSS to RCE (dompdf 0day) intermediate 10 min read RCE | Library for Remote Code Execution (RCE) in dompdf, a popular PHP library used for rendering PDFs from HTML. The vulnerability, identified as a 0-day by Positive Security, allows an attacker to inject CSS that tricks dompdf into caching a malicious font file with a `.php` extension. This file can then be executed remotely by accessing it from the web server. The exploit leverages the `$isRemoteEnabled` setting and the font caching mechanism within dompdf. |
| 2026-06-04 2026 | Cisco Webex Meetings Cross-Site Scripting Vulnerability (CVE-2026-20233) news | Writeup of CVE-2026-20233, a cross-site scripting (XSS) vulnerability in Cisco Webex Meetings. The flaw stemmed from insufficient user input validation, allowing an unauthenticated remote attacker to execute arbitrary script code or access sensitive browser information by tricking a user into clicking a malicious link. Cisco has resolved this issue in their cloud-based Webex Meetings service, requiring no customer action. → systemtek.co.uk |
| 2026-06-03 2026 | Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts intermediate 2 min read | Library for detecting stored XSS vulnerabilities, exemplified by CVE-2026-41241 in pretalx, which allows zero-click account hijacking. This flaw, exploitable with low privileges, bypasses Content Security Policies by leveraging chained exploits involving JavaScript payloads disguised as presentation materials and iframe `srcdoc` attributes. A secondary JavaScript-free technique demotes administrators via image tags in submission titles, triggering a superuser-demotion endpoint. Automated AI agents can weaponize this for mass exploitation across numerous conferences. → hackread.com |
| 2026-06-03 2026 | https://github.com/Armur-Ai/Pentest-Swarm-AI beginner 6 min read AI Recon | Library for advanced penetration testing utilizing a real swarm intelligence architecture. It coordinates independent agents via stigmergy and emergence, allowing them to coordinate by writing to and reading from a shared blackboard, rather than through a central planner. This approach enables emergent attack chains and dynamic agent interaction, supporting tools like nmap, sqlmap, Burp, ZAP, and Metasploit, and is compatible with LLMs such as Claude and Llama. |
| 2026-06-03 2026 | House committee chair calls on Instructure to testify in Canvas hack news 3 min read | Writeup on the Shiny Hunters attack on Instructure's Canvas platform, highlighting cross-site scripting (XSS) vulnerabilities exploited to hijack admin sessions and exfiltrate student data. The incident prompted a US House committee inquiry, emphasizing the continued relevance of foundational security flaws like input validation and output encoding in critical educational technology infrastructure, despite focus on novel AI threats. → scworld.com |
| 2026-05-28 2026 | CVE-2026-41241: Critical Stored XSS in Pretalx Conference Platform Allows Attackers 100% Talk Acceptance (Patched in 2026.1.0) news 5 min read | Writeup of CVE-2026-41241, a critical stored XSS vulnerability in Pretalx versions prior to 2026.1.0, allowing any registered user to compromise organizer accounts and force talk acceptance. Exploitation involves submitting a talk proposal with a crafted XSS payload in fields like title, speaker display name, or email, which executes when an organizer uses the backend search. The vulnerability stems from improper sanitization and unsafe `innerHTML` usage. Immediate upgrade to version 2026.1.0 is recommended. → rescana.com |
| 2026-05-20 2026 | CVE-2026-42897 Zero-Day Analysis: Microsoft Exchange Server OWA XSS Vulnerability Exploited in the Wild news 5 min read | Analysis of CVE-2026-42897 details a zero-day cross-site scripting (XSS) vulnerability affecting on-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition. Actively exploited in the wild, this flaw in Outlook Web Access (OWA) allows attackers to execute arbitrary JavaScript, leading to session hijacking and credential theft. The analysis covers threat actor TTPs, exploitation evidence, and actionable mitigations like the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT), noting potential side effects such as the loss of OWA Print Calendar functionality. → rescana.com |
| 2026-05-19 2026 | Microsoft Exchange Zero-Day Under Attack No Patch Available news | Microsoft Exchange Zero-Day Under Attack, No Patch Available https://ift.tt/HM5e6fY → darkreading.com |
| 2026-05-18 2026 | Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks news 2 min read | Writeup detailing CVE-2026-42897, a critical spoofing vulnerability in Microsoft Exchange Server exploited in the wild, impacting on-premises Outlook Web Access. Threat actors leverage this network-based flaw, characterized by improper input neutralization, to execute arbitrary JavaScript by sending specially crafted emails. This affects Exchange Server 2016, 2019, and Subscription Edition, enabling network-level spoofing and session hijacking. Temporary mitigations, including the Exchange Emergency Mitigation Service or manual tool execution, are advised despite minor functional side effects like calendar printing issues and inline image display problems, pending a permanent patch. → cybersecuritynews.com |
| 2026-05-17 2026 | Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) news | Microsoft Exchange Server is vulnerable to exploitation due to an unpatched security flaw, identified as CVE-2026-42897. Attackers can leverage this vulnerability, impacting systems that have not been updated. This poses a significant risk to organizations using Microsoft Exchange Server. Further details on the exploitation and its potential impact can be found via the provided link. → helpnetsecurity.com |
| 2026-05-15 2026 | Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks news 2 min read | Library of emergency security updates for GitLab addresses multiple high-severity flaws including Cross-Site Scripting (XSS) via CVE-2026-7481 and CVE-2026-5297, and unauthenticated Denial-of-Service (DoS) via CVE-2026-1659 and CVE-2025-14870. These vulnerabilities, impacting self-hosted Community Edition and Enterprise Edition servers, allow for session hijacking, code repository manipulation, and disruption of CI/CD pipelines. Administrators must upgrade to versions 18.11.3, 18.10.6, or 18.9.7 to mitigate these risks. → cybersecuritynews.com |
| 2026-05-14 2026 | GitLab Security Flaw Allows Cross-Site Scripting and Unauthenticated DoS news 2 min read | Library update addressing 25 vulnerabilities in GitLab CE/EE, including four critical XSS flaws (CVSS 8.7) affecting Analytics, global search, and Duo Agent output, allowing authenticated attackers to hijack sessions. Three severe DoS vulnerabilities (CVSS 7.5) are also patched, enabling unauthenticated attacks via crafted requests to CI/CD, Duo Workflows, or internal APIs to crash servers. Additional fixes include CVE-2026-1322 (GraphQL authorization flaw), CSRF in JiraConnect, and bypasses for package protection rules. → gbhackers.com |
| 2026-05-12 2026 | Instructure confirms hackers used Canvas flaw to deface portals news 2 min read | Writeup on ShinyHunters exploiting cross-site scripting (XSS) vulnerabilities in Instructure's Canvas LMS. Attackers used these flaws to gain authenticated admin sessions, deface login portals with extortion messages, and exfiltrate over 3.6 terabytes of data. The attacks targeted the Free-for-Teacher environment, leading to temporary downtime and account closures. → bleepingcomputer.com |
| 2026-05-11 2026 | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities news | Writeup on Cisco Identity Services Engine (ISE) stored cross-site scripting vulnerabilities, CVE-2025-20204 and CVE-2025-20205. These flaws stem from insufficient input validation in the web-based management interface, allowing authenticated attackers to inject malicious script code. Exploitation enables arbitrary script execution within the interface context or access to sensitive browser data, requiring administrative credentials. Cisco has released updates to address these issues. → systemtek.co.uk |
| 2026-05-09 2026 | Every Old Vulnerability Is Now an AI Vulnerability beginner | This article argues that as Artificial Intelligence (AI) systems become more integrated, traditional cybersecurity vulnerabilities are now also AI vulnerabilities. Existing exploits and weaknesses in software, hardware, and network infrastructure can be leveraged to target or compromise AI models. This means that the vast landscape of known security flaws presents a significant risk to AI systems, requiring a re-evaluation of security strategies to account for this expanded threat surface. → darkreading.com |
| 2026-05-03 2026 | Jenkins Patches High-Severity Plugin Flaws Including Path Traversal and Stored XSS news 2 min read | Library updates address seven Jenkins plugin vulnerabilities, including critical path traversal (CVE-2026-42520 in Credentials Binding Plugin) enabling arbitrary file writes and remote code execution, and two stored XSS flaws (CVE-2026-42523 in GitHub Plugin, CVE-2026-42524 in HTML Publisher Plugin) allowing JavaScript injection. Medium-severity issues in Script Security, Matrix Authorization Strategy, GitHub Branch Source, and Microsoft Entra ID plugins are also patched. → cybersecuritynews.com |
| 2026-05-03 2026 | 'Chaining vulnerabilities is the hallmark of a sophisticated attack': 750000 websites must be patched as Microsoft's popular open source Dotnetnuke CMS hit by an XSS flaw that allows attackers to hijack admin sessions and take over entire web servers news 2 min read | Library for securing DotNetNuke CMS, addressing CVE-2026-40321, a cross-site scripting (XSS) flaw. This vulnerability allows attackers to upload malicious SVG files, which, when clicked by an authenticated administrator, execute JavaScript, hijack sessions, and enable arbitrary file writes to the server via the `/API/personaBar/ConfigConsole/UpdateConfigFile` endpoint. This enables the creation of ASPX web shells for full server compromise, impacting over 750,000 websites built on the Microsoft-backed platform. |
| 2026-05-01 2026 | Jenkins Plugin Updates Fix Path Traversal and Stored XSS Bugs news 2 min read | Library updates for Jenkins address seven vulnerabilities, including critical path traversal (CVE-2026-42520) in the Credentials Binding Plugin, enabling arbitrary file writes and potential RCE. Stored XSS flaws are patched in the GitHub Plugin (CVE-2026-42523) and HTML Publisher Plugin (CVE-2026-42524), allowing script injection. Medium-severity issues like information disclosure via Script Security Plugin (CVE-2026-42519) and unsafe deserialization in Matrix Authorization Strategy Plugin (CVE-2026-42521) are also resolved, alongside unauthorized connection tests in GitHub Branch Source Plugin (CVE-2026-42522) and open redirects in Microsoft Entra ID Plugin (CVE-2026-42525). → gbhackers.com |
| 2026-04-30 2026 | Jenkins Patches High-Severity Plugin Vulnerability Including Path Traversal and Stored XSS news 2 min read | Library update patches Jenkins plugins for critical vulnerabilities including CVE-2026-42520 (path traversal leading to RCE in Credentials Binding Plugin), CVE-2026-42523 (stored XSS in GitHub Plugin), and CVE-2026-42524 (stored XSS in HTML Publisher Plugin). Patched versions and mitigation strategies are detailed for these high-severity flaws. → cyberpress.org |
| 2026-04-30 2026 | dr34mhacks/XSSNow: Find XSS payloads that actually work by filtering them based on real-world constraints instead of blind payload spraying. intermediate 2 min read | Library of curated XSS payloads, XSSNow aids researchers and bug bounty hunters by providing context-aware, defense-focused, and real-world tested payloads. It categorizes vulnerabilities by injection context, offers specific collections for WAF bypasses and encoding evasions, and suggests payloads optimized for character limitations and filters. The platform also details CSP bypass techniques and browser quirks, encouraging community contributions to its knowledge base of HTML injection, attribute breaking, JavaScript context, CSS injection, and URL parameter attacks. |
| 2026-04-24 2026 | Over 10000 Zimbra Servers Vulnerable to XSS Attacks news | Over 10,000 Zimbra Servers Vulnerable to XSS Attacks https://ift.tt/UNZfrVk → secnews.gr |
| 2026-04-24 2026 | Over 10000 Zimbra servers vulnerable to ongoing XSS attacks news 2 min read | Writeup of CVE-2025-48700, an ongoing XSS vulnerability impacting over 10,000 Zimbra Collaboration Suite instances. Exploitable by unauthenticated attackers, this flaw allows arbitrary JavaScript execution, enabling sensitive information access. Patched in June 2025, it has been actively abused in the wild, leading to CISA's inclusion in its Known Exploited Vulnerabilities Catalog and an order for Federal Civilian Executive Branch agencies to secure affected servers. Previous Zimbra vulnerabilities have also been exploited by APT28 and Russian Winter Vivern. → bleepingcomputer.com |
| 2026-04-22 2026 | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform advanced | Mass-Assignment to Stored XSS and CSP Bypass in a Chatbot Platform |
| 2026-04-22 2026 | Full Disclosure: DOM-Based XSS And Failures In Bug Bounty Hunting beginner 8 min read | Writeup detailing a DOM-based XSS vulnerability discovered in a bug bounty hunt, where an insecure `eUrl` parameter on a login page allowed for dynamic resource loading from an attacker-controlled server. This flaw, combined with the absence of the HTTPOnly flag on the `ASPSESSIONID` cookie, enabled a one-click account takeover. The writeup emphasizes the importance of input validation, sanitization, allow-listing, CSP, and proper cookie flag implementation to mitigate such risks. |
| 2026-04-22 2026 | Cross-Site Scripting (XSS) Is Surging: 4 New CVEs This Week news 1 min read | Writeup of surging Cross-Site Scripting (XSS) vulnerabilities, detailing four new CVEs including CVE-2026-27243 with a CVSS score of 9.3. It highlights the increasing prevalence of XSS in SaaS environments, the limitations of automated scanners, and the need for regular testing of controls like WAFs and EDRs against current attack patterns, referencing n8n webhooks abused for malware delivery. |
| 2026-04-22 2026 | CVE-2025-26244: Stored XSS in DeimosC2 Leading to Privilege Escalation news 7 min read | Writeup detailing CVE-2025-26244, a stored cross-site scripting vulnerability in CyberOneSecurity's DeimosC2 v1.1.0-Beta. The writeup demonstrates how an attacker can register a malicious agent by reverse-engineering an agent binary to obtain listener details. This allows injection of an XSS payload into the 'graph' endpoint, which executes when a user views the graph. The stolen cookie then enables privilege escalation and unauthorized access to the C2 framework. |
| 2026-04-22 2026 | CVE-2025-25461: SeedDMS Stored XSS news | Writeup of CVE-2025-25461, a Stored XSS vulnerability in SeedDMS 6.0.29. Exploitable by users with "Add Category" permissions, an attacker can inject XSS payloads into category names, leading to execution when documents associated with that category are viewed. Potential impacts include session hijacking, data exfiltration, phishing, and remote code execution. Mitigation involves sanitizing user input, employing CSP, and proper output encoding. |
| 2026-04-22 2026 | Finding DOM Polyglot XSS in PayPal the Easy Way intermediate 6 min read | Library for discovering DOM-based polyglot XSS vulnerabilities. It details a process utilizing Burp Suite's embedded browser and DOM Invader to identify insecure sinks, specifically on PayPal. The library also demonstrates how to bypass Content Security Policy (CSP) by exploiting unintended script gadgets within the PayPal application, including leveraging older versions of Bootstrap and a custom `youtube.js` gadget to execute JavaScript. → portswigger.net |
| 2026-04-22 2026 | Cisco IOS XE Web Authentication Reflected XSS Advisory news | Cisco IOS XE Web Authentication Reflected XSS Advisory |
| 2026-04-22 2026 | CVE-2025-66412: Angular Stored XSS via SVG Animation and MathML Attributes news 2 min read | Writeup of CVE-2025-66412, an Angular Stored XSS vulnerability. The Angular Template Compiler's incomplete security schema allows bypassing sanitization for URL-holding attributes and SVG animation elements. Attackers can inject `javascript:` URLs into attributes like `xlink:href` or by manipulating the `attributeName` in SVG animations, leading to arbitrary code execution, session hijacking, and data exfiltration. Patches are available in Angular versions 19.2.17, 20.3.15, and 21.0.2. |
| 2026-04-22 2026 | CVE-2025-0133: PAN-OS Reflected XSS in GlobalProtect Gateway news 2 min read | Writeup detailing CVE-2025-0133, a reflected XSS vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway and portal. This flaw allows attackers to execute malicious JavaScript in a user's browser via crafted links, primarily posing a risk of phishing and credential theft, especially when Clientless VPN is enabled. Mitigation involves enabling Threat IDs 510003 and 510004 via Threat Prevention content version 8995, applying Vulnerability Protection profiles to security rules, or disabling Clientless VPN. |
| 2026-04-22 2026 | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) advanced | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) → arxiv.org |
| 2026-04-19 2026 | Bypassing Signature-Based XSS Filters: Modifying HTML intermediate 2 min read | Technique for bypassing signature-based XSS filters by modifying HTML syntax, demonstrating methods to obfuscate payloads. It explores variations in tag casing, insertion of NULL bytes and superfluous characters, use of alternative attribute delimiters like backticks, and HTML encoding within attribute values to evade detection. Examples are provided using DVWA and OWASP's Broken Web Application Project. → portswigger.net |
| 2026-04-19 2026 | Advanced XSS Filter Bypass Methods Using Payload Splitting advanced | Advanced XSS Filter Bypass Methods Using Payload Splitting |
| 2026-04-19 2026 | XSS Payload Bypass Technique: A Practical Guide intermediate 1 min read | Technique for bypassing XSS filters demonstrates obfuscation using mixed-case and redundant slashes to trigger `onfocus` events. Mitigation strategies include input sanitization with DOMPurify and implementing Content Security Policy (CSP). The article also provides Linux and Windows commands for auditing logs and scanning directories for vulnerable scripts, along with advanced payload encoding via `burp-decoder` or base64. → undercodetesting.com |
| 2026-04-19 2026 | Intigriti July 2025 XSS Challenge — Jorian Woltjer beginner 12 min read | Library for bypassing XSS filters, leveraging DOM clobbering and Mutation XSS techniques. It demonstrates how to exploit HTML parsing quirks, specifically "foster parenting" within table elements and "node flattening," to manipulate the DOM and override critical elements like `chat-messages`. The library also showcases a method to bypass Content Security Policy (CSP) by exploiting a Socket.IO polling endpoint, reflecting input in a way that allows JavaScript execution. |
| 2026-04-17 2026 | Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow news 7 min read | Library detailing three XSS vulnerabilities found in Mailcow, including a critical unauthenticated flaw affecting administrator accounts via Autodiscover logs (GHSA-f9xf-vc72-rcgm). Another XSS targets administrators through attachment filenames in the Quarantine feature (GHSA-2xjc-rg88-jvpp), and a Self-XSS in Login History is escalated via Login CSRF (GHSA-jprq-w83q-q62h). All issues have been fixed since version 2026-03b. → aikido.dev |
| 2026-04-16 2026 | Bypassing DOMPurify with Good Old XML advanced 5 min read | Writeup detailing DOMPurify bypasses found by exploiting parsing inconsistencies between XML and HTML for Processing Instructions (`<?...?>`) and CDATA sections (`<![CDATA[...]]>`). The first bypass leveraged the differing interpretation of Processing Instructions, allowing arbitrary `nodeName` injection. A subsequent bypass exploited how HTML parsers handle CDATA sections outside SVG/MathML, treating them as bogus comments ending with `>` instead of `]]>`. These vulnerabilities were addressed by updates to DOMPurify's node filtering. |
| 2026-04-16 2026 | Exploring the DOMPurify Library: Bypasses and Fixes intermediate 17 min read | Article detailing bypasses and fixes for the DOMPurify library, exploring how client-side HTML sanitizers work. It highlights vulnerabilities arising from inconsistent HTML parsing, namespace manipulations (e.g., SVG and MathML interactions), and deviations in handling nested element limits. Specific techniques like double parsing, the use of `<form>` element restrictions, and mutations exploiting HTML insertion modes and the stack of open elements are discussed, referencing bypasses like the one found in DOMPurify versions <= 3.1.0 by @IcesFont. |
| 2026-04-16 2026 | Content Security Policy Bypass Techniques Collection intermediate 8 min read | Collection of Content Security Policy (CSP) bypass techniques detailing directives like `script-src`, `default-src`, and `frame-ancestors`, and sources such as `'self'`, `'unsafe-inline'`, and `'unsafe-eval'`. This resource analyzes how CSP mitigates content injection like XSS, yet remains vulnerable to bypasses when misconfigured, highlighting the importance of thorough policy evaluation using tools like CSP Evaluator and CSP Validator. It provides practical examples of exploitable CSP configurations leading to script execution. |
| 2026-04-16 2026 | CSPBypass: Tool to Bypass Content Security Policies intermediate 2 min read | Tool for bypassing Content Security Policies (CSP) to exploit XSS vulnerabilities, CSPBypass helps ethical hackers find existing bypass gadgets or contribute new ones. It identifies CSP loopholes, often leveraging JSONP endpoints or JavaScript libraries on whitelisted domains, to execute JavaScript despite restrictive policies. The project encourages community contributions of new bypass techniques, with a dataset curated from Common Crawl for identifying commonly whitelisted domains. |
| 2026-04-16 2026 | PayloadsAllTheThings: XSS Injection Cheat Sheet beginner 11 min read | Cheatsheet of XSS injection techniques and payloads, covering methodology, proof of concept examples, and common injection vectors like HTML wrappers, PostMessage, blind XSS, and mutated XSS. It details payload strategies for capturing sensitive data such as cookies and access tokens, crafting fake login forms, keylogging, and exploiting DOM-based vulnerabilities. The resource also highlights effective payloads for modern applications, including sandbox domain contexts, and lists tools like XSSStrike, xsser, Dalfox, and XSpear for blind XSS detection. |
| 2026-04-16 2026 | Advanced XSS Exploitation: Bypassing CSP and DOM Sanitization advanced | Advanced XSS Exploitation: Bypassing CSP and DOM Sanitization |
| 2026-04-16 2026 | CVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep Dive advanced | CVE-2025-63418: Weaponizing the Browser Console - DOM-based XSS Deep Dive |
| 2026-04-16 2026 | bypassXSS: A Curated Collection of Advanced XSS Bypass Techniques advanced 1 min read | Collection of advanced XSS bypass techniques detailing filter types, encoding methods, DOM manipulation, HTML5 abuse, JavaScript context escapes, WAF strategies against Cloudflare and Akamai, framework-specific payloads for AngularJS and React, and CSP misconfigurations. It includes real-world bug bounty case studies and a payload repository for testing tools like DOMPurify and various WAFs. |
| 2026-04-16 2026 | Cross-Site Scripting (XSS) Practical CTF Guide intermediate | Cross-Site Scripting (XSS) Practical CTF Guide |
| 2026-04-10 2026 | Beyond XSS: Mutation XSS Explained beginner 7 min read | Writeup detailing mutation XSS (mXSS) techniques that exploit browser HTML parsing inconsistencies to bypass sanitizers like DOMPurify. It explains how malformed HTML within SVG and style tags can be mutated by browsers, leading to unexpected DOM structures that allow arbitrary code execution through attributes. The article references a specific DOMPurify vulnerability fixed in version 2.0.1. |
| 2026-04-10 2026 | CVE-2025-26791: DOMPurify Regular Expression Bug for mXSS news 3 min read | Writeup of CVE-2025-26791 detailing a mutation XSS (mXSS) vulnerability in DOMPurify (versions prior to 3.2.4). The flaw stems from an inadequate regular expression used to sanitize template literals within SVG elements, allowing attackers to craft payloads that bypass initial sanitization. Browsers can then mutate this input during rendering, executing malicious JavaScript, particularly affecting SVG desc and title tags. The vulnerability is exploitable in environments that use DOMPurify for user-supplied HTML and rely on its sanitization before rendering. |
| 2026-04-10 2026 | Bypassing DOMPurify Again with Mutation XSS intermediate 2 min read | Writeup detailing a bypass of DOMPurify using Mutation XSS (mXSS). The technique leverages HTML comments and specially crafted tags within a `<math>` element to achieve cross-site scripting. The bypass was initially found to work in Chrome by exploiting how DOMPurify handled mutations within text nodes, specifically by placing malicious code within an image's title attribute after an encoded comment. A subsequent bypass was discovered for Firefox, utilizing CDATA tags instead of HTML comments. The vectors are demonstrated using a custom mXSS tool and are relevant for bypassing HTML filters, with the Chrome vector patched in DOMPurify version 2.1. → portswigger.net |
| 2026-04-10 2026 | Penetration Testing of Electron-based Applications beginner 14 min read | Library for security testing and hardening Electron-based desktop applications, detailing real-world attack vectors and analysis techniques. It covers discovering bundled endpoints, extracting ASAR files, analyzing IPC channels, testing preload bridges, and validating update mechanisms. Techniques include checking dependency vulnerabilities with `npm audit`, inspecting `package.json` for entry points, and analyzing `webPreferences` like `nodeIntegration` and `contextIsolation` for potential XSS and RCE vulnerabilities. |
| 2026-04-10 2026 | DbGate Stored XSS to RCE in Electron (CVE-2026-34725) intermediate | DbGate Stored XSS to RCE in Electron (CVE-2026-34725) → advisories.gitlab.com |
| 2026-04-10 2026 | Intigriti Challenge 0226: Stored XSS & CSP Bypass intermediate | Intigriti Challenge 0226: Stored XSS & CSP Bypass |
| 2026-04-10 2026 | Content Security Policy Bypass Techniques and Security Tips intermediate 7 min read | Survey of Content Security Policy (CSP) bypass techniques, detailing common misconfigurations and exploitation scenarios. It explains CSP directives like `script-src`, `object-src`, `img-src`, and fetch values such as `'self'`, `'unsafe-inline'`, and `'unsafe-eval'`. The survey covers vulnerabilities arising from improper use of wildcards, missing directives, and the exploitation of JSONP endpoints, offering practical advice for strengthening CSP implementation against attacks like XSS. → vaadata.com |
| 2026-04-10 2026 | Advanced XSS: Bypassing Filters, CSP, and DOM-based XSS intermediate 24 min read | Library detailing advanced Cross-Site Scripting (XSS) techniques. It covers bypassing filters, Content Security Policy (CSP), and DOM-based XSS, including 2025 attack vectors, AI agent weaponization, polymorphic payloads, sanitizer bypasses, and advanced CSP evasion via CSS and cache. Specific techniques discussed include mutation XSS (mXSS), WebAssembly, Trusted Types, prompt-to-XSS, DOMPurify mutation XSS bypasses (CVE-2025-26791), nonce leakage, postMessage exploitation, Cross-Site WebSocket Hijacking (CSWSH), GraphQL injection to XSS, payload fragmentation, evolved DOM clobbering (CVE-2025-1647), Server-Sent Events (SSE) injection, and Console/DevTools XSS. |
| 2026-04-10 2026 | CSP Bypasses: Advanced Exploitation Guide advanced 9 min read | Guide detailing Content Security Policy (CSP) bypass techniques, focusing on how misconfigurations allow for XSS exploitation. It covers scenarios like missing CSP declarations, reporting-only modes, non-restrictive directives such as wildcards (`*`) and `unsafe-inline` in `script-src`, and leveraging third-party hosts. The guide references tools like Google CSP Evaluator and common CSP directives, emphasizing that CSP bypasses are typically report-worthy when chained with an actual vulnerability. → intigriti.com |
| 2026-04-10 2026 | Arista Firewall XSS to RCE Chain intermediate 5 min read | Writeup detailing the exploitation chain of CVE-2025-6980, CVE-2025-6979 (an XSS vulnerability), and CVE-2025-6978 against Arista Next Generation Firewalls. This chain allows for remote code execution by combining an XSS vulnerability that steals administrator credentials with a command injection flaw that grants root privileges, a vulnerability the vendor's patch did not fully remediate. Disabling the captive portal is suggested as a mitigation alongside upgrading to the patched software version. → bishopfox.com |
| 2026-04-10 2026 | From Stored XSS to Account Takeover intermediate | From Stored XSS to Account Takeover |
| 2026-04-10 2026 | Magento 2.3.1: Unauthenticated Stored XSS to RCE intermediate 6 min read | Library detailing an unauthenticated stored XSS vulnerability in Magento 2.3.1 that can be chained with authenticated PHAR deserialization for remote code execution. The exploit targets order cancellation notes and leverages an issue in the `escapeHtmlWithLinks()` sanitization method to inject malicious JavaScript. This payload, when triggered by an administrator, allows for session hijacking and subsequent exploitation of a PHAR deserialization flaw within the WYSIWYG editor's image rendering controller, enabling arbitrary code execution. |
| 2026-04-10 2026 | CVE-2025-52367: Stored XSS to RCE in PivotX CMS news | CVE-2025-52367: Stored XSS to RCE in PivotX CMS |
| 2026-04-10 2026 | BXSS Hunter: Blind XSS Scanner Tool intermediate | Tool for detecting blind Cross-Site Scripting (XSS) vulnerabilities by injecting custom payloads into headers and parameters. BxssHunter supports various HTTP methods (PUT, POST, GET, OPTIONS) and allows for payload injection into parameters or custom headers like X-Forwarded-For. It aids in finding vulnerabilities that execute asynchronously, often missed by standard scanners. |
| 2026-04-10 2026 | How to Find XSS Vulnerabilities: Practical Security Guide beginner 9 min read | Library detailing Cross-Site Scripting (XSS) vulnerabilities, covering reflected, stored, and DOM-based types. It provides practical techniques for manual and automated discovery, recommending tools like Dalfox, XSStrike, and xsshunter, alongside payload resources such as PayloadsAllTheThings and HackTricks. Specific examples include blind XSS in admin dashboards and stored XSS in GitLab wikis, emphasizing the use of polyglots and callback platforms for effective exploitation. → hackerone.com |
| 2026-04-10 2026 | Mastering Blind XSS: Real-World Techniques for High Bounties intermediate | Mastering Blind XSS: Real-World Techniques for High Bounties → infosecwriteups.com |
| 2026-04-10 2026 | Hunting for Blind XSS Vulnerabilities: A Complete Guide beginner 7 min read | Guide on hunting blind XSS vulnerabilities, this resource details techniques for identifying and exploiting these elusive injection flaws. It covers setting up necessary tooling, including XSSHunter, and provides a range of advanced payloads for injecting external scripts via SVG, image tags, input tags with autofocus, and JavaScript protocols, as well as bypassing Content Security Policy with base tags and exploiting AngularJS. The guide also highlights key areas to test, such as feedback forms and analytics engines. → intigriti.com |
| 2026-04-10 2026 | The Guide to Blind XSS: Advanced Techniques for Bug Bounty Hunters advanced | The Guide to Blind XSS: Advanced Techniques for Bug Bounty Hunters → bugcrowd.com |
| 2026-04-10 2026 | Frontend Security in 2025: Protecting Client-Side Code in React, Vue & More beginner 3 min read | Library of frontend security practices for 2025, addressing critical risks in React, Vue, and other stacks. It details common vulnerabilities like XSS, session leaks, and insecure token storage (localStorage, accessible cookies), advocating for HttpOnly, Secure, SameSite=Strict cookies. The library also covers rendering vulnerabilities, the importance of Content Security Policy (CSP) configurations, and other web security headers like X-Content-Type-Options and X-Frame-Options. It integrates security checks into CI/CD, suggests sanitization libraries like DOMPurify, and promotes secure architectural decisions. |
| 2026-04-10 2026 | Modern Frontend Security: Beyond XSS and CSRF in 2025 beginner | Modern Frontend Security: Beyond XSS and CSRF in 2025 |
| 2026-04-10 2026 | Cross-site Scripting (XSS) in vue-i18n (CVE-2025-53892) news 2 min read | Writeup on CVE-2025-53892, detailing a Cross-site Scripting (XSS) vulnerability in vue-i18n. This flaw allows attackers to execute arbitrary JavaScript by injecting malicious payloads into translation strings when `escapeParameterHtml` is set to `true`. Affected versions can be upgraded to 9.14.5, 10.0.8, 11.1.10, or higher to mitigate the risk. → security.snyk.io |
| 2026-04-10 2026 | XSS in 2025: Why It Still Matters and How to Defend Against It beginner | XSS in 2025: Why It Still Matters and How to Defend Against It |
| 2026-04-10 2026 | Why React Didn't Kill XSS: The New JavaScript Injection Playbook intermediate 4 min read | Guide detailing modern JavaScript injection techniques, including prototype pollution, supply chain compromises via packages like Polyfill.io, and AI prompt injection. It highlights how frameworks like React don't fully prevent XSS, demonstrating vulnerabilities with `dangerouslySetInnerHTML` and recommending context-aware encoding and tools like DOMPurify. The guide also touches on WebAssembly security considerations and emerging AI threats, offering a defense-in-depth approach for developers building secure applications. → thehackernews.com |
| 2026-04-10 2026 | Security Issues in Popular Full-Stack Frameworks beginner 2 min read | Survey of security issues found in full-stack JavaScript frameworks, including DOM clobbering in React and Vue, cross-site scripting in Next.js, Angular template injection, dependency abuse in UI components, and build-time exploits in Angular and Next.js. These vulnerabilities have been exploited in production and require application-level defenses such as sanitizing attributes, escaping server-rendered data, replacing abandoned third-party components, and monitoring build pipelines. |
| 2026-04-10 2026 | Beyond alert(1): Real XSS Dangers in React & Vue SPAs intermediate 9 min read | Library detailing real-world Cross-Site Scripting (XSS) dangers in React and Vue Single Page Applications (SPAs). It explains how these frameworks, despite default protections, introduce new attack vectors, particularly DOM-based XSS. The library highlights the risks of `dangerouslySetInnerHTML` in React, `v-html` in Vue, and the vulnerability of `localStorage` for storing authentication tokens like JWTs, leading to session hijacking and silent manipulation of displayed data through API exploitation. |
| 2026-04-10 2026 | XSS Payload Crafting and WAF Bypass: A Beginner-Friendly Guide beginner | XSS Payload Crafting and WAF Bypass: A Beginner-Friendly Guide |
| 2026-04-10 2026 | Bypassing WAFs for Fun and JS Injection with Parameter Pollution intermediate 10 min read | Tool for bypassing WAFs using ASP.NET's HTTP parameter pollution for JavaScript injection. This technique abuses how ASP.NET concatenates duplicate parameters with commas to construct valid JavaScript payloads that evade signature-based and machine learning WAFs by splitting malicious code across multiple parameters, exploiting inconsistencies in how WAFs parse parameters versus how the ASP.NET framework and JavaScript interpreter process them. |
| 2026-04-10 2026 | XSS Payload WAF Bypass: Advanced Techniques to Evade Microsoft's 2025 Security advanced | Technique for bypassing Microsoft's 2025 WAF using advanced XSS payloads. It details how double-encoded HTML entities like `&%2362;` evade single-layer WAF decoding, and explores using array dereferencing and indirect property access to bypass signature-based detection. The technique also leverages DOM-based triggers, such as `onchange`, as alternatives to commonly monitored events like `onclick`, for more stealthy execution. → undercodetesting.com |
| 2026-04-10 2026 | XSS Filter Evasion: How Attackers Bypass XSS Filters intermediate 15 min read | Technique for bypassing cross-site scripting (XSS) filters by exploiting browser parsing quirks and encoding methods. Attackers leverage HTML event handlers, JavaScript syntax variations, and malformed HTML to execute malicious scripts, as simple pattern matching and blacklisting prove insufficient. Techniques like URL encoding and HTML entity encoding are used to disguise payloads, making them undetectable by basic filters, and highlighting the necessity of layered security beyond just filtering. → acunetix.com |
| 2026-04-10 2026 | WAF XSS Bypass: Obfuscation and Encoding Techniques intermediate | Library of techniques for bypassing Web Application Firewalls (WAF) and obfuscating Cross-Site Scripting (XSS) payloads. It includes guides on common encoding and obfuscation methods to mask malicious content and lists various WAF bypass strategies with examples, detailing how attackers defeat WAF defenses. |
| 2026-04-10 2026 | WAF Bypass XSS Payloads Collection intermediate | WAF Bypass XSS Payloads Collection |
| 2026-04-10 2026 | CVE-2026-0594: Reflected XSS in WordPress news 9 min read | CVE-2026-0594 is a reflected XSS vulnerability in the WordPress "List Site Contributors" plugin. Attackers can inject malicious JavaScript through shortcode parameters or AJAX requests, leading to session hijacking, privilege escalation, or site defacement. This vulnerability affects plugin versions 1.0 through 1.2.3, is unauthenticated, and can be exploited via the network. |
| 2026-04-10 2026 | TrustyMon: Practical Detection of DOM-based XSS Using Trusted Types advanced | TrustyMon: Practical Detection of DOM-based XSS Using Trusted Types → dl.acm.org |
| 2026-04-10 2026 | CI4MS Stored DOM XSS via Menu Management (CVE-2026-34565) news 2 min read | Writeup detailing CVE-2026-34565, a critical stored DOM-based XSS in CI4MS versions prior to 0.31.0.0. Exploitation requires authenticated access to inject malicious scripts into navigation menus via the Menu Management functionality, which are then executed when rendered in administrative dashboards or public-facing menus. This vulnerability, with a CVSS score of 9.1, impacts the CI4MS CMS skeleton built on CodeIgniter 4. → thehackerwire.com |
| 2026-04-10 2026 | Homarr DOM-based XSS (CVE-2026-33510) news 2 min read | Writeup on CVE-2026-33510, a high-severity DOM-based XSS in Homarr (versions prior to 1.57.0). Exploitation involves crafting a malicious link that manipulates the `callbackUrl` parameter on the `/auth/login` page. This parameter is directly passed to client-side navigation functions like `redirect` and `router.push`, allowing attackers to execute arbitrary JavaScript within a victim's browser session. This can lead to credential theft, internal network pivoting, and unauthorized actions. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2025-67906: MISP Stored XSS via Workflow Engine news 8 min read | Writeup of CVE-2025-67906 details a Stored Cross-Site Scripting (XSS) vulnerability in MISP versions up to 2.5.27, stemming from unsanitized workflow trigger names rendered via the doT.js template engine. An authenticated attacker can inject HTML/JavaScript into the `name` field of workflow triggers, which is then executed in the browser of any user viewing that workflow. This allows for session hijacking, data exfiltration, and credential harvesting, with payloads bypassing Content Security Policy by using `window.location` for data exfiltration. |
| 2026-04-10 2026 | How I Hacked a Web App Using Stored XSS to Steal Sessions intermediate 3 min read | Writeup detailing a stored XSS exploit against a web application, leading to admin session theft and account takeover. The exploit leveraged an unescaped bio field to inject JavaScript, targeting an admin who routinely reviewed user profiles. Crucially, the application lacked Content Security Policy, had non-HttpOnly cookies, and failed to properly encode user-generated content in support ticket comments and profile bios, allowing for critical vulnerabilities like performing admin actions and creating new admin accounts via alternative payloads. |
| 2026-04-10 2026 | 10 Practical Scenarios for XSS Attacks beginner 17 min read | Scenarios illustrate practical XSS attacks, detailing reflected, persistent, and DOM-based vulnerabilities. The content focuses on exploiting web applications, including techniques for session hijacking by stealing cookies via JavaScript payloads, and shows how to craft malicious payloads using examples like injecting `<script>alert(document.cookie)</script>` into vulnerable parameters within DVWA. |
| 2026-04-10 2026 | Reflected XSS: Advanced Exploitation Guide advanced 10 min read | Guide to hunting and exploiting reflected XSS vulnerabilities. This guide details a three-step methodology for identifying reflection points, testing for injection possibilities by breaking out of HTML or JavaScript contexts, and crafting proof-of-concept payloads. It covers generic HTML, HTML attribute, and JavaScript contexts, offering examples such as `<script>alert(1)</script>` and `<img src=x onerror=alert(1)>`, and explains how to handle filtered inputs. The resource also distinguishes reflected XSS from stored XSS and DOM-based XSS. → intigriti.com |
| 2026-04-10 2026 | Weaponizing Cross Site Scripting: When One Bug Isn't Enough advanced 4 min read | Technique guide detailing how Cross-Site Scripting (XSS) can be weaponized by chaining it with vulnerabilities like open redirects, CSRF, weak CSP, insecure JSON logging leading to account takeover, file upload flaws for RCE, abusing administrative functions, and improper `postMessage` usage causing token leakage. It emphasizes that XSS rarely exists in isolation and attackers combine multiple weaknesses to escalate impact, making layered defenses crucial. → microsoft.com |
| 2026-04-10 2026 | XSS Exploitation in 2025: Advanced Techniques, AI Integration, and Evasion Strategies advanced | XSS Exploitation in 2025: Advanced Techniques, AI Integration, and Evasion Strategies |
| 2026-04-10 2026 | XSS Attacks: From Basics to Advanced Post-Exploitation (2025 Edition) intermediate 22 min read | Library for mastering Cross-Site Scripting (XSS) attacks, covering fundamental concepts to advanced post-exploitation techniques. It details Stored XSS, Reflected XSS, and DOM-Based XSS, alongside manual and automated testing methods using tools like XSStrike, Dalfox, and KXSS. The guide explores filter bypasses, crafting advanced payloads, and exploitation scenarios including cookie stealing and session hijacking. It also addresses XSS prevention for developers, CSP bypasses, and integrating XSS with tools like BeEF for chained attacks. |
| 2026-04-10 2026 | Discovering and Exploiting XSS Vulnerabilities — My First Bug Hunting Reward beginner | Discovering and Exploiting XSS Vulnerabilities — My First Bug Hunting Reward |
| 2026-04-10 2026 | How I Found a Critical XSS On a Public Bug Bounty Program intermediate | How I Found a Critical XSS On a Public Bug Bounty Program |
| 2026-04-10 2026 | BugBounty Hunting for XSS in 2025 beginner | BugBounty Hunting for XSS in 2025 |
| 2026-04-10 2026 | Apple Developer Stored XSS — $5,000 Bounty Writeup intermediate | Apple Developer Stored XSS — $5,000 Bounty Writeup |
| 2026-04-06 2026 | Browser-Based Attacks in 2026: What Every Startup Needs to Know beginner 11 min read | Guide to 2026 browser-based attacks, detailing threats like ClickFix, AITM phishing (Tycoon 2FA), and malicious OAuth apps (ConsentFix). It highlights how these attacks bypass traditional security, exploiting user trust and evolving tactics to steal credentials and session tokens through methods like infostealer malware (LummaStealer) and compromised browser extensions. The guide also covers session hijacking, malicious file delivery, and the critical vulnerability of SaaS applications and internal tools to such exploits. |
| 2026-04-06 2026 | CVE-2025-1647: Bootstrap 3 XSS Vulnerability via DOM Clobbering news 6 min read | Writeup on CVE-2025-1647, a medium-severity XSS vulnerability in Bootstrap 3's Tooltip and Popover components. The flaw leverages DOM clobbering to bypass HTML sanitization, enabling script execution. Versions 3.4.1 through 3.x are affected, and due to Bootstrap 3 being end-of-life, HeroDevs offers NES for Bootstrap v3.4.7 as a remediated drop-in replacement, resolving this and other known Bootstrap 3 CVEs. |
| 2026-04-06 2026 | CVE-2026-32629: phpMyFAQ XSS Vulnerability news 4 min read | Writeup of CVE-2026-32629 in phpMyFAQ details a stored Cross-Site Scripting (XSS) vulnerability exploitable by unauthenticated attackers. Malicious HTML and JavaScript can be injected via crafted email addresses within RFC 5321 quoted local parts. This bypasses PHP validation and sanitization, leading to persistent XSS execution in admin sessions due to the unsafe use of Twig's `|raw` filter when rendering email addresses. Versions prior to 4.1.1 are affected. → sentinelone.com |
| 2026-04-06 2026 | Cross-site leaks (XS-Leaks) - Security - MDN Web Docs intermediate 10 min read | Guide to Cross-site Leaks (XS-Leaks), a class of attacks where an attacker's site derives information about a target site or user by leveraging web platform APIs. This guide details techniques such as leaking page existence via error events, frame counting using window references, and detecting redirects with Content Security Policy (CSP), illustrating how these attacks can reveal user login status or sensitive information. It explains the common underlying weaknesses that enable these exploits and offers general defenses against them. |
| 2026-04-06 2026 | Site-DOM-XSS using Cookie Injection: The AI Hackers are Coming intermediate | Site-DOM-XSS using Cookie Injection: The AI Hackers are Coming |
| 2026-04-03 2026 | Awesome Bug Bounty Writeups - Curated List by Bug Type beginner 19 min read Bug Bounty | Library of curated bug bounty writeups detailing successful exploitation of vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL injection, and Server-Side Request Forgery (SSRF). Entries cover specific bypass techniques for WAFs, filter evasion methods, and numerous real-world examples from major vendors like Google, Microsoft, Facebook, and Amazon, often detailing the path to account takeover or remote code execution. |
| 2026-04-03 2026 | XSS Exploit Payloads - DOM, Reflected, Stored, and WAF Bypass intermediate 33 min read | Library of curated, battle-tested Cross-Site Scripting (XSS) exploit payloads. This repository offers a collection of effective techniques for exploiting DOM-based, reflected, and stored XSS vulnerabilities, including various methods for bypassing Web Application Firewalls (WAFs). The payloads cover a range of attack vectors, such as JavaScript `prompt()`, `eval()`, and event handler exploitation within HTML elements like `<img>`, `<svg>`, and `<iframe>`. |
| 2026-04-03 2026 | Stored XSS Vulnerability WAF Bypass Writeup intermediate | Stored XSS Vulnerability WAF Bypass Writeup |
| 2026-04-03 2026 | Reflected XSS with WAF Bypass — A Creative Payload That Worked intermediate | Reflected XSS with WAF Bypass — A Creative Payload That Worked |
| 2026-04-03 2026 | DOM-Based XSS in Single Page Applications (SPAs): A Complete Guide intermediate | DOM-Based XSS in Single Page Applications (SPAs): A Complete Guide |
| 2026-04-03 2026 | The Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd intermediate | The Ultimate Guide to Finding and Escalating XSS Bugs | Bugcrowd → bugcrowd.com |
| 2026-04-03 2026 | How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOne intermediate 4 min read | Writeup detailing how a reflected XSS vulnerability on yelp.com, stemming from unescaped cookie values and a cookie parsing issue, enabled account takeovers. The vulnerability allowed for persistent XSS payloads, simulated credential theft via a keylogger, and facilitated linking external accounts. Remediation involved validating and sanitizing user input, and removing the ability to set cookies via query parameters. → hackerone.com |
| 2026-04-03 2026 | XSS Attacks & Exploitation: The Ultimate Guide | YesWeHack intermediate 12 min read | Guide to XSS attacks and exploitation, covering reflected, stored, and DOM variants. It details detection methods, exploitation techniques, and real-world scenarios, emphasizing why mastering XSS, CWE-79, is crucial for bug bounty hunters and ethical hackers. The guide explains how to leverage user input to inject malicious JavaScript, leading to session hijacking, account takeovers, and data exfiltration. It also explores chaining vulnerabilities like CSRF with authenticated reflected XSS for greater impact, and discusses payload obfuscation for stored XSS. → yeswehack.com |
| 2026-04-03 2026 | Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwigger intermediate 16 min read | Cheatsheet detailing Cross-Site Scripting (XSS) vectors, regularly updated and featuring bypass techniques for WAFs and filters. It categorizes vectors by event handlers, tags, and browser compatibility, including proof-of-concept code for numerous scenarios such as JavaScript hoisting, file upload restrictions, and bypassing specific browser limitations with techniques like exception handling and template strings. → portswigger.net |
| 2026-03-30 2026 | Stored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover news 2 min read | Writeup of a Stored XSS vulnerability in Jira Work Management, CVE-2024-XXXX, uncovered by Snapsec. A low-privileged Product Admin can exploit the "icon URL" property of custom issue priorities, which lacks input validation and output encoding, to inject a malicious script. This payload executes when a Super Admin views the priorities page, leading to an automated invitation of an attacker-controlled account with full organizational access, enabling complete takeover of Atlassian products. → cybersecuritynews.com |
| 2026-03-30 2026 | Stored XSS Flaw in Jira Work Management Could Enable Full Org Compromise news 3 min read | Writeup detailing a Stored XSS vulnerability in Atlassian Jira Work Management. Researchers discovered that a Product Admin can inject JavaScript into the custom issue priority's Icon URL field, as no backend validation or sanitization is performed. This allows attackers to persistently store malicious code that executes when administrators view the Issues settings page, potentially enabling full organization takeover by silently inviting attacker-controlled users. The writeup highlights the dangers of Stored XSS when combined with administrative workflows and the importance of robust backend validation and access control scrutiny. → cyberpress.org |
| 2026-03-30 2026 | Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization Takeover news 2 min read | Writeup detailing a stored XSS vulnerability in Jira Work Management, allowing an attacker with Product Admin privileges to execute a full organization takeover. The flaw lies in the failure to validate inputs within the custom "Icon URL" property of issue priorities, enabling malicious JavaScript to be saved and executed when a Super Admin views the priorities configuration page. This leads to an automated system invitation for an attacker-controlled user with full Atlassian product access. → gbhackers.com |
| 2026-03-26 2026 | Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website news 2 min read | Library for securing AI browser extensions, this analysis details the ShadowPrompt vulnerability (CVE-2025-XXXX) in Anthropic's Claude Chrome Extension. The flaw exploited an overly permissive origin allowlist combined with a DOM-based XSS vulnerability in an Arkose Labs CAPTCHA component, enabling zero-click prompt injection and potential data theft. A patch has since been deployed. → thehackernews.com |
| 2026-03-26 2026 | CISA and FBI release secure-by-design guidelines on cross-site scripting beginner 3 min read | Alert from CISA and FBI providing secure-by-design guidelines to eliminate cross-site scripting (XSS) vulnerabilities. The alert details how XSS exploits user trust, enabling session hijacking, data theft, and malware installation, referencing past attacks like the ResumeLooters breach and the Fortnite incident. It advocates for proactive measures including input validation, output encoding, and Content Security Policies (CSP), aligning with broader secure-by-design principles for developers to build security into applications from inception. |
| 2026-03-21 2026 | PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks news 2 min read | Library for identifying and mitigating the PolyShell vulnerability in Magento and Adobe Commerce REST APIs. This critical flaw allows unauthenticated attackers to upload executable files, potentially leading to RCE or account takeover. The vulnerability has existed since Magento 2's initial release and impacts versions up to 2.4.9-alpha2, with affected releases prior to 2.3.5 also susceptible to XSS. While a fix exists in the 2.4.9 pre-release, no standalone patch is available for production versions, necessitating real-time WAF blocking and strict server configurations to protect upload directories. → securityaffairs.com |
| 2026-03-20 2026 | Russian APT Exploits Zimbra XSS In GhostMail Attacks On Ukrainian Government news 2 min read | Writeup of Operation GhostMail, a campaign targeting the Ukrainian State Hydrology Agency by exploiting CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration Suite. The attack, attributed to APT28, leverages specially crafted HTML tags to bypass Zimbra's AntiSamy filter and execute a JavaScript payload within the victim's browser, leading to data exfiltration via Zimbra's SOAP API and DNS queries. → cyberpress.org |
| 2026-03-20 2026 | Magento PolyShell Flaw Enables Unauthenticated Uploads RCE and Account Takeover intermediate 3 min read | Library for securing Magento, addressing the PolyShell vulnerability (CVE-2026-XXXX) that allows unauthenticated arbitrary file uploads to achieve RCE or account takeover. This critical flaw, affecting Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, exploits the REST API's handling of custom options with file types by writing uploaded data to `pub/media/custom_options/quote/`. Exploitation involves disguised polyglot files that embed executable PHP code within image formats, leading to web shells and password-protected RCE shells. Mitigation strategies include restricting access to the upload directory and implementing web server rules to block access. → thehackernews.com |
| 2026-03-20 2026 | Russian APT Exploits Zimbra XSS to Target Ukrainian Government in Operation GhostMail news 3 min read | Writeup detailing Operation GhostMail, a Russian APT campaign targeting a Ukrainian government agency through a Zimbra XSS vulnerability (CVE-2025-66376). This attack, attributed to APT28, bypassed traditional indicators by embedding a base64-encoded JavaScript payload within an HTML email body, silently exfiltrating credentials, email archives, and enabling persistent access via app-specific passwords. The campaign exploited insufficient HTML sanitization in Zimbra Collaboration Suite versions prior to 10.0.18 and 10.1.13, using both HTTPS and DNS exfiltration channels. → cybersecuritynews.com |
| 2026-03-19 2026 | Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376 news 2 min read | Writeup of CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration exploited by Russian APT groups targeting Ukraine. The flaw, with a CVSS score of 7.2, allowed attackers to execute scripts via specially crafted HTML emails, enabling credential theft, session token compromise, and mailbox data exfiltration. Nation-state actors, potentially APT28, leveraged this vulnerability, dubbed Operation GhostMail, to target entities including Ukraine's State Hydrology Agency. Synacor has since released patches, and CISA has added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog. → securityaffairs.com |
| 2026-03-19 2026 | Russian APT Exploits Zimbra Vulnerability Against Ukraine news 2 min read | Writeup detailing CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration's Classic UI, exploited by Russian APT28 (Forest Blizzard) in attacks against Ukraine. This flaw, addressable via CSS @import directives in email HTML, allows for credential theft, session token exfiltration, and mailbox data extraction. CISA has added this vulnerability to its KEV catalog, mandating patches for federal agencies. → securityweek.com |
| 2026-03-18 2026 | When HttpOnly Isnt Enough: Chaining XSS and GhostScript for Full RCE Compromise advanced 7 min read | Library for analyzing vulnerabilities in document processing applications, specifically detailing a chained attack that bypasses HttpOnly cookie protections via an unauthenticated XSS vulnerability. This XSS allows an attacker to steal an administrator's session cookie by exploiting a GWT RPC endpoint that reflects sensitive information. Further, the library demonstrates how to achieve Remote Code Execution by injecting commands into GhostScript rendering options, disabling its SAFER mode to execute arbitrary operating system commands. → securityboulevard.com |
| 2026-03-18 2026 | CISA orders feds to patch Zimbra XSS flaw exploited in attacks news 2 min read | Writeup of CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic UI. Exploitable via malicious HTML emails, this flaw allows remote unauthenticated attackers to execute arbitrary JavaScript, potentially hijacking sessions and stealing data. CISA mandated federal agencies patch this actively exploited flaw, which has seen prior exploitation of Zimbra vulnerabilities by groups like Winter Vivern. → bleepingcomputer.com |
| 2026-03-17 2026 | Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks news 2 min read | Library concerning CVE-2026-32635, a critical XSS vulnerability in Angular's i18n handling within `@angular/compiler` and `@angular/core` packages. This flaw allows attackers to inject malicious scripts by binding unsanitized user input to localized sensitive attributes like `href`, `src`, and `data`, potentially leading to session hijacking and data exfiltration. Patches are available for specific versions, with updates recommended or manual sanitization using `DomSanitizer` for unpatched releases. → cybersecuritynews.com |
| 2026-03-17 2026 | Angular XSS Vulnerability Puts Thousands of Web Apps at Risk news 2 min read | Writeup on CVE-2026-32635, a high-severity cross-site scripting vulnerability in Angular's core framework and compiler components. The flaw, also identified as GHSA-g93w-mfhg-p222, arises from a bypass of Angular's sanitization mechanisms when internationalization attributes are used with security-sensitive HTML bindings like href, src, and formaction. This allows attackers to inject arbitrary JavaScript, leading to session hijacking, data exfiltration, and unauthorized actions. Affected Angular versions include 17 through 22 pre-release builds, with patches available for some but not older LTS branches. Developers should upgrade, avoid binding untrusted input to sensitive attributes with i18n attributes, or use DomSanitizer. → cyberpress.org |
| 2026-03-17 2026 | Angular XSS Vulnerability Threatens Thousands of Web Applications news 2 min read | Writeup of CVE-2026-32635, an XSS vulnerability in Angular affecting i18n attribute bindings, enabling script injection by bypassing sanitization when untrusted input is combined with i18n tags on sensitive attributes like `href` and `src`. Exploitation can lead to session hijacking and data exfiltration. Versions 17.0.0 through 22.0.0-next.2 are impacted; developers should update to patched versions or implement workarounds like blocking untrusted input and using `DomSanitizer`. → gbhackers.com |
| 2026-03-14 2026 | Persistent XSS/RCE using WebSockets in Storybooks dev server news 6 min read | Library of JavaScript code and examples addressing CVE-2026-27148, a high-severity WebSocket hijacking vulnerability in Storybook's dev server. This vulnerability can lead to persistent Cross-Site Scripting (XSS) and Remote Code Execution (RCE) by allowing attackers to inject malicious code into story files. Exploitation can occur via publicly exposed dev servers or through a malicious webpage visited by a developer running a local instance, potentially compromising credentials, system access, and network resources, and even propagating through version control and CI/CD pipelines. → aikido.dev |
| 2026-03-12 2026 | GitLab Security Update - Patch for XSS and API DoS Vulnerabilities news 2 min read | Library patch notes detail urgent updates for GitLab CE/EE addressing critical Cross-Site Scripting (XSS) and Denial-of-Service (DoS) vulnerabilities. The update, covering versions 18.9.2, 18.8.6, and 18.7.6, resolves issues including CVE-2026-1090 (XSS in Markdown), CVE-2026-1069 (DoS in GraphQL API), CVE-2025-13929 (DoS in repository archives), and CVE-2025-14513 (DoS in protected branches API). Administrators of self-managed instances should apply these patches immediately to mitigate risks. → cybersecuritynews.com |
| 2026-03-04 2026 | Critical XSS Vulnerability in Angular i18n Enables Malicious Code Execution news 1 min read | Writeup of CVE-2026-27970, a critical XSS vulnerability in Angular's i18n pipeline, enabling malicious JavaScript execution. Attackers can exploit this by compromising an application's translation files, particularly when embedded HTML within ICU messages isn't properly sanitized. Exploitation requires access to translation files and a lack of strong defenses like CSP or Trusted Types. Developers are urged to update to patched @angular/core versions to mitigate risks. → cybersecuritynews.com |
| 2026-03-03 2026 | Severe XSS Vulnerability in Angular i18n Enables Malicious Script Injection news 1 min read | Writeup of CVE-2026-27970, a severe XSS vulnerability in Angular's i18n system, allowing attackers to inject malicious JavaScript via tampered translation files (.xliff, .xtb). This flaw bypasses Angular's sanitization, enabling upstream supply-chain attacks that can lead to data theft or app sabotage. Recommendations include immediate patching to Angular versions 19.2.19 or later, manual vetting of translations, and implementing defenses like CSP headers, Trusted Types, and Angular's DomSanitizer. → cyberpress.org |
| 2026-03-03 2026 | Angular i18n Flaw Lets Hackers Execute Malicious Code via Critical XSS Vulnerability news 2 min read | Library advisory for CVE-2026-27970, a critical XSS vulnerability in Angular's i18n pipeline. Attackers can inject malicious JavaScript into compromised translation files (.xliff, .xtb), leading to credential exfiltration or page vandalism when rendered. Mitigation strategies include updating Angular, verifying translation content, implementing strict Content-Security Policy (CSP), and enabling Trusted Types. → gbhackers.com |
| 2026-02-28 2026 | Stored XSS Flaw in RustFS Console Leaks Admin S3 Credentials news 1 min read | Writeup on GHSA-v9fg-3cr2-277j, a stored XSS vulnerability in RustFS Console affecting versions before 1.0.0-alpha.82. Attackers can upload crafted HTML files disguised as PDFs to steal admin S3 credentials stored in localStorage via the preview modal, leading to full account takeover. The vulnerability exploits the lack of origin isolation and content-type validation. Mitigation involves upgrading RustFS, separating S3 and console origins, implementing Content-Security-Policy and X-Content-Type-Options headers, and server-side validation. → cyberpress.org |
| 2026-02-27 2026 | Stored XSS Vulnerability in RustFS Console Puts S3 Admin Credentials at Risk news 2 min read | Writeup of CVE-2026-27822, a critical Stored XSS vulnerability in RustFS Console, allowing attackers to steal S3 admin credentials from browser localStorage. Exploitation involves uploading a malicious HTML file disguised as a PDF, which executes JavaScript when previewed by an administrator. The flaw arises from improper response content type validation and the lack of origin separation between the console and S3 object delivery. Mitigation requires updating to version 1.0.0-alpha.83 or implementing origin separation and security headers like CSP and X-Content-Type-Options: nosniff. → gbhackers.com |
| 2026-02-26 2026 | Mozilla Releases Firefox 148 With New Sanitizer API to Block XSS Attacks news 2 min read | Library of standardized Sanitizer API introduced in Firefox 148, offering developers a built-in tool to combat Cross-Site Scripting (XSS) vulnerabilities. This API replaces the vulnerable `innerHTML` with a `setHTML()` method, parsing untrusted content and stripping dangerous elements like `<script>` and event attributes. Developers can define custom allowlists with `SanitizerOptions` and integrate it with Trusted Types for layered defense, providing immediate XSS protection with minimal code changes and negligible performance overhead. → cyberpress.org |
| 2026-02-26 2026 | Firefox 148 Released With Sanitizer API to Disable XSS Attack news 2 min read | Library introducing the Sanitizer API for Firefox 148, offering a standardized, effective method to prevent Cross-Site Scripting (XSS) attacks by converting potentially harmful HTML into safe alternatives. This API, implemented via the `setHTML()` method, provides an easier alternative to complex Content-Security-Policy (CSP) configurations and works synergistically with Trusted Types for enhanced protection against common web vulnerabilities. → cybersecuritynews.com |
| 2026-02-26 2026 | Firefox 148 Unveils New Sanitizer API to Mitigate XSS Attacks in Web Applications news 2 min read | Library introducing Firefox's new Sanitizer API, a built-in tool for mitigating XSS attacks by cleaning untrusted code before it enters web pages. This standardized API simplifies the process for developers by replacing the risky `innerHTML` method with `setHTML()`, offering configurable protection against malicious HTML injection, and can be combined with Trusted Types for enhanced security. → gbhackers.com |
| 2026-02-25 2026 | XSS Bug in VS Code Extension Exposed Local Files news 3 min read | Writeup on a cross-site scripting (XSS) vulnerability in the official Live Preview VS Code extension, impacting versions up to 0.4.16. This flaw allowed malicious websites to enumerate local files and exfiltrate sensitive data, including API keys and source code, by exploiting improper input sanitization in the extension's embedded HTTP server. Mitigation strategies include updating the extension, disabling non-essential plugins, implementing host firewalls, and utilizing secure secret management. → esecurityplanet.com |
| 2026-02-23 2026 | Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks news 2 min read | Research report on zero-day vulnerabilities in PDF platforms, specifically Foxit and Apryse, detailing 13 categories and 16 flaws discovered. The findings include critical XSS and OS command injection vulnerabilities, such as CVE-2025-70402 and CVE-2025-70400 in Apryse WebViewer, CVE-2025-70401 allowing script execution via PDF comments, and CVE-2025-66500 in Foxit web plugins. These flaws enable one-click attacks and command execution, highlighting trust boundary failures in modern PDF applications. → hackread.com |
| 2026-02-22 2026 | Jenkins Vulnerability Exposes Build Environments to XSS Attacks news | The content discusses a vulnerability in Jenkins that exposes build environments to cross-site scripting (XSS) attacks. This vulnerability can potentially allow attackers to inject malicious scripts into the Jenkins environment, compromising the security of the build process. It highlights the importance of addressing this vulnerability promptly to prevent exploitation and protect sensitive data. → secnews.gr |
| 2026-02-20 2026 | Critical Jenkins Flaw Exposes Build Environments to XSS Attacks news 1 min read | Library entry detailing CVEs in the Jenkins automation server, including a stored XSS vulnerability exploiting improperly escaped HTML descriptions for node offline causes. Attackers with low-level permissions can inject malicious scripts to steal data or hijack sessions. A secondary flaw allows build information leaks through Run Parameters. Updates to Jenkins 2.539+ and the application of Content Security Policy (CSP) mitigate the XSS, with immediate patching recommended. → gbhackers.com |
| 2026-02-20 2026 | Critical Jenkins Vulnerability Exposes Build Environments to XSS Attacks news 1 min read | Advisory detailing CVE-2026-27099, a high-severity stored XSS vulnerability in Jenkins Core affecting versions 2.550 and earlier, where unescaped HTML in offline cause descriptions allows malicious JavaScript injection. This critical flaw can compromise user sessions and build environments. A second medium-severity vulnerability, CVE-2026-27100, is also discussed, which allowed unauthorized access to build and job information via Run Parameter values. Updates to Jenkins 2.551 and LTS 2.541.2 are recommended to address these risks. → cybersecuritynews.com |
| 2026-02-18 2026 | Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks news 2 min read | Writeup of a critical vulnerability in the VS Code Live Preview extension (versions < 0.4.16) that allows one-click XSS and local file exfiltration. Discovered by OX Security, the flaw enables malicious websites to enumerate local files and extract sensitive data like API keys by exploiting improper input handling in the extension's local development server. Microsoft patched the vulnerability, now addressed by an `escapeHTML` function in version 0.4.16. → cybersecuritynews.com |
| 2026-02-13 2026 | Zimbra Security Update - Patch for XSS XXE & LDAP Injection Vulnerabilities news 1 min read | Library update patches Zimbra Collaboration 10.1.16 for critical XSS, XXE, and LDAP injection vulnerabilities. The fixes include enhanced input validation for XSS, tightened XML parsing for XXE in EWS, and robust sanitization against LDAP injection. Additionally, this release restores PDF previews in Classic UI and strengthens CSRF protection, while also improving backup performance and adding new web application features. → cybersecuritynews.com |
| 2026-02-13 2026 | Critical Zimbra Vulnerabilities Fixed: XSS XXE and LDAP Injection Risks Mitigated news 1 min read | Writeup detailing critical vulnerabilities fixed in Zimbra 10.1.16, including Cross-Site Scripting (XSS) in Webmail and Briefcase, an authenticated LDAP injection flaw, and an XML External Entity (XXE) issue in the EWS SOAP endpoint. These high-severity flaws, similar to those found in VMware NSX and WordPress plugins, could lead to session hijacking, credential theft, data exfiltration, unauthorized directory access, and server-side request forgery. The update also addresses a medium-severity CSRF bypass. → cyberpress.org |
| 2026-02-13 2026 | Zimbra Issues Security Update to Address XSS XXE and LDAP Injection Flaws news 2 min read | Library update addressing XSS, XXE, and LDAP injection in Zimbra collaboration suite. Version 10.1.16 resolves Cross-Site Scripting in Webmail and Briefcase, authenticated LDAP injection by improving input sanitization, and XML External Entity flaws in the EWS SOAP endpoint. It also enforces proper token validation for CSRF protection. → gbhackers.com |
| 2026-02-11 2026 | FortiSandbox XSS Vulnerability Allows Remote Command Execution news 2 min read | Writeup detailing CVE-2025-52436, a reflected XSS vulnerability in FortiSandbox's web interface that allows unauthenticated remote command execution. Insufficient input sanitization enables attackers to inject malicious JavaScript, which, when rendered by a privileged user, can grant command-line access to the underlying system. Affected versions require prompt patching or migration, and mitigation strategies include access restrictions, WAF deployment, log monitoring, and incident response planning. → esecurityplanet.com |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks news 1 min read | Library patches address multiple GitLab vulnerabilities, including CVE-2025-7659 (CVSS 8.0) in the Web IDE allowing unauthenticated token theft and private repository access, DoS flaws CVE-2025-8099 and CVE-2026-0958 targeting GraphQL and JSON middleware respectively, and CVE-2025-14560 (CVSS 7.3) a Cross-Site Scripting vulnerability in the "Code Flow" feature. Updates for Community and Enterprise Editions are available in versions 18.8.4, 18.7.4, and 18.6.6. → cybersecuritynews.com |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks news 1 min read | Patches address critical vulnerabilities in GitLab CE and EE versions 18.8.4, 18.7.4, and 18.6.6, including CVE-2025-7659 for unauthenticated token theft via the Web IDE, CVE-2025-8099 and CVE-2026-0958 for denial-of-service attacks via GraphQL introspection and middleware flaws, CVE-2025-14560 for cross-site scripting in Code Flow, and CVE-2026-0595 for HTML injection in test case titles. Additional DoS and SSRF vulnerabilities were also resolved. → cyberpress.org |
| 2026-02-11 2026 | GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks news 1 min read | Patches address critical GitLab vulnerabilities including CVE-2025-7659, an "Incomplete Validation" issue in Web IDE allowing unauthenticated token theft and repository access. Two Denial of Service flaws, CVE-2025-8099 impacting GraphQL introspection and CVE-2026-0958 related to middleware bypassing JSON validation, also receive fixes. Further patches resolve Cross-Site Scripting in Code Flow (CVE-2025-14560) and HTML Injection in test case titles (CVE-2026-0595), necessitating immediate upgrades for self-managed installations. → gbhackers.com |
| 2026-02-10 2026 | FortiSandbox XSS Vulnerability Let Attackers Run Arbitrary Commands news 1 min read | Analysis of CVE-2025-52436, a critical XSS vulnerability in FortiSandbox's GUI, allows unauthenticated attackers to achieve arbitrary command execution via crafted web requests. This improper neutralization of input during web page generation (CWE-79) escalates to RCE when a victim interacts with malicious content, enabling data exfiltration and lateral movement. Patches are available in FortiSandbox PaaS versions 4.4.8 and 5.0.5. → cybersecuritynews.com |
| 2026-02-06 2026 | DOM Invader beginner 1 min read | Tool for testing DOM XSS vulnerabilities, DOM Invader is an extension preinstalled in Burp's browser. It aids in identifying controllable sinks, logging and modifying `postMessage` calls for web message DOM XSS, and automatically detecting prototype pollution and DOM clobbering vulnerabilities. Its configurable nature allows for fine-tuning to suit various websites and use cases. → portswigger.net |
| 2026-02-06 2026 | bjrjk/js-vuln-studies: A collection of in-depth studies authored by me on JavaScript engine vulnerabilities. advanced | A collection of in-depth studies authored by me on JavaScript engine vulnerabilities. - bjrjk/js-vuln-studies |
| 2026-02-04 2026 | Foxit PDF Editor XSS Flaws Patched In February 2026 news 3 min read | Writeup of Foxit PDF Editor XSS vulnerabilities CVE-2026-1591 and CVE-2026-1592, which allow arbitrary JavaScript execution in user browsers by injecting payloads into file names or layer names. A related flaw, CVE-2025-65523 in Foxit eSign, also permits XSS via manipulated URL parameters. All issues are patched with improved input validation and output encoding. → thecyberexpress.com |
| 2026-02-03 2026 | Foxit PDF Editor Vulnerabilities Let Attackers Execute Arbitrary JavaScript news 2 min read | Writeup detailing CVE-2026-1591 and CVE-2026-1592, cross-site scripting vulnerabilities in Foxit PDF Editor Cloud's File Attachments list and Layers panel. These CWE-79 flaws, with a CVSS 3.0 score of 6.3, allow arbitrary JavaScript execution due to inadequate input sanitization and output encoding. Exploitation could lead to high confidentiality risks by accessing sensitive document and session data. Foxit has released patches, automatically deployed for Cloud users. → cybersecuritynews.com |
| 2026-02-03 2026 | Foxit PDF Editor Vulnerability Allows Attackers to Execute Arbitrary JavaScript news 2 min read | Writeup of CVE-2026-1591 and CVE-2026-1592 in Foxit PDF Editor Cloud, and CVE-2025-66523 in Foxit eSign, detailing cross-site scripting vulnerabilities that allow arbitrary JavaScript execution. These flaws arise from insufficient input validation and improper output encoding in file attachment and layer name fields, enabling attackers to steal session tokens, harvest sensitive data, or redirect users. Patches were released by Foxit Software in early 2026. → cyberpress.org |
| 2026-02-01 2026 | TrinetLayer advanced | A battle-tested TrinetLayer for vulnerability research, real-world exploit payloads, and modern attack techniques — crafted by hackers, trusted by hackers. |
| 2026-01-27 2026 | XSS in Live Preview Microsoft VS Code Extension with 11M Downloads news 4 min read | Writeup of an XSS vulnerability in the Microsoft VS Code Live Preview extension, affecting over 11 million users. The vulnerability allowed remote attackers to exfiltrate local files, including sensitive credentials and API keys, by exploiting the extension's embedded HTTP server. The issue, which enabled data exfiltration, was responsibly disclosed to Microsoft and patched in version 0.4.16. → ox.security |
| 2026-01-22 2026 | Testing for reflected XSS manually with Burp Suite intermediate 1 min read | Library for testing reflected XSS with Burp Suite's Repeater. This method involves identifying HTTP requests that reflect user input and then manipulating those requests to inject proof-of-concept XSS payloads. The technique focuses on input validation and server-side sanitization, utilizing Burp Repeater to directly modify requests and observe the immediate response for successful payload execution within HTML contexts, such as the example `alert()` function. → portswigger.net |
| 2026-01-21 2026 | Testing for stored XSS with Burp Suite intermediate 2 min read | Library for manually testing stored XSS vulnerabilities using Burp Suite. It details identifying input and output points by submitting unique values and filtering HTTP history, then using Repeater to send proof-of-concept payloads like `<script>alert(1)</script>` to test for execution. → portswigger.net |
| 2026-01-19 2026 | Bypassing XSS filters by enumerating permitted tags and attributes intermediate 2 min read | Tool for bypassing XSS filters by enumerating permitted HTML tags and attributes. Utilizing Burp Intruder, this method systematically tests potential tags and attributes that an application might allow, revealing which elements are not filtered. This technique is particularly useful when standard proof-of-concept XSS payloads fail, enabling the construction of effective XSS attacks against applications with input validation mechanisms. → portswigger.net |
| 2026-01-19 2026 | Critical XSS Vulnerability in StealC Malware Admin Panel Allows Researchers to Infiltrate and Monitor Threat Actor Operations news 5 min read | Writeup of a persistent XSS vulnerability in the StealC malware admin panel, version 2.0, which allowed researchers to infiltrate and monitor threat actor operations. Exploitation led to the exfiltration of session cookies and system fingerprints from operators like YouTubeTA, revealing their location and hardware. The flaw enabled the observation of live sessions, stolen data, and malware management, demonstrating that even criminal infrastructure is susceptible to common web application vulnerabilities. → rescana.com |
| 2026-01-19 2026 | TrinetLayer intermediate Bug Bounty | TrinetLayer is a proven tool used for vulnerability research, real-world exploit payloads, and modern attack techniques. It is created by hackers and is widely trusted within the hacker community for its effectiveness. |
| 2026-01-18 2026 | Account Takeover in Facebook mobile app due to usage of cryptographically unsecure random number generator and XSS in Facebook JS SDK intermediate 11 min read Mobile | Library for analyzing the Facebook JavaScript SDK, detailing how a DOM-based XSS vulnerability in the Customer Chat plugin, stemming from unescaped `iconSVG` injection, can be exploited. The exploit is made possible by an account takeover scenario facilitated by a weak cryptographic primitive: `Math.random()` used for generating callback identifiers, which are then exposed via `window.name` of plugin iframes and can be predicted after forcing reinitialization of the SDK. |
| 2026-01-17 2026 | Testing for DOM XSS with DOM Invader intermediate 1 min read | Tool for testing DOM-based XSS vulnerabilities, DOM Invader injects unique strings into untrusted data sources and identifies controllable sinks where data is written unsafely to the DOM. It simplifies manual JavaScript analysis by visualizing data flow, enabling testers to efficiently locate and exploit DOM XSS flaws within applications, particularly by analyzing `document.write` sinks and `location.search` sources. → portswigger.net |
| 2026-01-17 2026 | Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account Takeover news 3 min read | Writeup detailing critical XSS vulnerabilities in Meta's Conversions API Gateway that enable zero-click account takeovers. Researchers discovered flaws in the client-side `capig-events.js` script, exploiting improper origin validation and CSP bypass techniques on Meta domains like facebook.com and meta.com. A second, more severe vulnerability in the backend code allows attackers to inject arbitrary JavaScript into the served `capig-events.js` file through unsafe string concatenation, affecting millions of third-party deployments of the open-source gateway and enabling widespread, silent compromise. → gbhackers.com |
| 2026-01-17 2026 | Exploiting XSS in Meta Conversion API for Zero-Click Account Takeover intermediate 3 min read | Writeup detailing zero-click account takeover via XSS in Meta's Conversion API Gateway. The flaws in the `capig-events.js` script allow attackers to exploit unvalidated `postMessage` origins and backend JavaScript string concatenation. Bypass techniques for CSP and COOP are discussed, alongside an Android WebView exploitation method leveraging `window.name` reuse. This vulnerability, present in potentially millions of third-party deployments, could allow attackers to inject arbitrary JavaScript by manipulating user-configurable parameters. → cyberpress.org |
| 2026-01-16 2026 | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability (CVE-2026-20076) news 1 min read | Writeup of CVE-2026-20076, a stored cross-site scripting vulnerability in Cisco Identity Services Engine's web-based management interface. Exploitation requires administrative credentials and involves injecting malicious code into specific pages, allowing script execution or access to sensitive browser-based information. Cisco has released software updates to address this issue. → systemtek.co.uk |
| 2026-01-15 2026 | CISAs secure-software buying tool had a simple XSS vulnerability of its own news 2 min read | Writeup of a cross-site scripting (XSS) vulnerability in CISA's "Software Acquisition Guide: Supplier Response Web Tool." The flaw, discovered by OWASP former leader Jeff Williams, allowed for JavaScript injection and potential website defacement. While CISA addressed and patched the vulnerability, its discovery highlighted potential gaps in basic security testing for tools intended to promote secure software development. → cyberscoop.com |
| 2026-01-13 2026 | Lack of isolation in agentic browsers resurfaces old vulnerabilities intermediate 13 min read | Library for analyzing agentic browser security, detailing a threat model with four trust zones and four violation classes: INJECTION, CTX_IN, REV_CTX_IN, and CTX_OUT. It outlines real-world exploits like false information dissemination and session confusion, enabled by inadequate isolation and prompt injection vulnerabilities, resurfacing older web attack patterns such as XSS and CSRF. Recommendations focus on extending the Same-Origin Policy to AI agents. → securityboulevard.com |
| 2026-01-13 2026 | New Angular Vulnerability Enables an Attacker to Execute Malicious Payload news 1 min read | Library for Angular development, addressing CVE-2026-22610, a critical XSS vulnerability in the Template Compiler. This flaw allows attackers to execute arbitrary JavaScript by exploiting the sanitization schema's failure to properly validate `href` and `xlink:href` attributes in SVG `<script>` elements when used with dynamic property bindings. Exploitation can lead to session hijacking, data exfiltration, and unauthorized actions. Developers should update to patched Angular versions or, as a mitigation, avoid dynamic bindings with SVG script elements and implement strict server-side input validation. → cybersecuritynews.com |
| 2026-01-13 2026 | New Angular Vulnerability Enables Attackers to Execute Malicious Payloads news 1 min read | Writeup of CVE-2026-22610, a High severity XSS vulnerability in Angular’s Template Compiler allowing malicious JavaScript execution. The flaw stems from improper sanitization of href and xlink:href attributes within SVG script elements, enabling attackers to inject data URIs or external script URLs via template bindings. Exploitation requires specific preconditions, including the use of SVG script elements and untrusted data sources. Angular has released patched versions (19.2.18, 20.3.16, 21.0.7, 21.1.0-rc.0) to address this critical issue. → cyberpress.org |
| 2026-01-13 2026 | New Angular Vulnerability Allows Attackers to Execute Malicious Payloads news 1 min read | Library for patching CVE-2026-22610, a high severity XSS vulnerability in Angular’s Template Compiler that allows malicious JavaScript execution via improper sanitization of href attributes in SVG script elements. The flaw affects multiple Angular versions, with exploitation requiring specific preconditions. Patches are available, and alternative mitigation includes avoiding dynamic bindings on SVG script elements and implementing server-side input validation. → gbhackers.com |
| 2026-01-09 2026 | OWASP CRS Vulnerability Enables Charset Validation Bypass news 2 min read | Library update addresses CVE-2026-21876 in OWASP CRS, a critical vulnerability allowing charset validation bypass in WAFs. The flaw, affecting CRS 3.3.x and 4.0.0-4.21.0 across ModSecurity, Coraza, and libmodsecurity, enabled XSS and other encoding-based attacks by only validating the last multipart section's charset. The fix, implemented in CRS 4.22.0 and 3.3.8, now validates every detected charset to prevent bypass. → gbhackers.com |
| 2026-01-09 2026 | OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation news 2 min read | Writeup of CVE-2026-21876 in OWASP CRS, a CRITICAL vulnerability allowing attackers to bypass charset validation by exploiting ModSecurity's chained rule processing. The flaw, present in rule 922110, enables UTF-7 encoded XSS payloads by only validating the final multipart part of a request, leaving earlier, malicious parts uninspected. Patches are available in CRS 4.22.0 and CRS 3.3.8, addressing the bypass by validating all charset parameters. → cyberpress.org |
| 2026-01-04 2026 | XSSNow - The Ultimate XSS Payload Database beginner | The content provided is a link to XSSNow, which is described as the Ultimate XSS Payload Database. The website likely contains a comprehensive collection of cross-site scripting (XSS) payloads that can be used for testing and research purposes. XSS vulnerabilities are a common security issue on websites, and having access to a database of payloads can help security professionals and developers better understand and mitigate these risks. The link provided likely leads to a resource that can assist in testing and securing web applications against XSS attacks. |
| 2026-01-01 2026 | CVE-2025-23469 Impact Exploitability and Mitigation Steps news | The content discusses the CVE-2025-23469 vulnerability, focusing on its impact, exploitability, and mitigation steps. It provides insights into the potential consequences of the vulnerability, the likelihood of it being exploited, and steps that can be taken to mitigate the risks associated with it. The link provided directs to further details on the vulnerability in the Wiz vulnerability database. → wiz.io |
| 2025-12-23 2025 | Turning List-Unsubscribe into an SSRF/XSS Gadget intermediate 6 min read SSRF | Library detailing exploitation of the `List-Unsubscribe` SMTP header. This header, intended for email list management, can be abused to trigger Cross-Site Scripting (XSS) via JavaScript URIs, as demonstrated with Horde Webmail (CVE-2025-68673). It can also facilitate Server-Side Request Forgery (SSRF) when email clients initiate unsubscription requests server-side, exemplified by Nextcloud Mail App under specific configuration. |
| 2025-12-21 2025 | Roundcube Vulnerabilities Allow Attackers to Execute Malicious Scripts news 2 min read | Library updates for Roundcube webmail address two critical vulnerabilities in versions 1.6 and 1.5 LTS. A Cross-Site Scripting (XSS) flaw, exploitable via SVG's animate tag, allows script injection. An Information Disclosure vulnerability in the HTML style sanitizer enables bypass of security controls. These issues, discovered by "somerandomdev", could lead to stolen credentials, phishing, or access to sensitive data. Users should update to secure versions 1.6.12 or 1.5.12. → cyberpress.org |
| 2025-12-19 2025 | New Kibana Vulnerabilities Allow Attackers to Embed Malicious Scripts news 1 min read | Writeup of CVE-2025-68385 in Kibana, a critical XSS vulnerability impacting numerous 7.x, 8.x, and 9.x versions. This flaw, leveraging improper input neutralization within the Vega visualization component (CWE-79), allows authenticated attackers to inject and execute malicious scripts in users' browsers, potentially compromising sensitive data. Elastic has released patched versions to address this high-severity issue. → gbhackers.com |
| 2025-12-19 2025 | Roundcube Vulnerabilities Allow Attackers to Execute Malicious Scripts news 1 min read | Library for patching Roundcube Webmail to address critical Cross-Site Scripting (XSS) vulnerabilities in SVG handling and Information Disclosure flaws in HTML sanitization. These vulnerabilities, reported by researchers from CrowdStrike and somerandomdev, allow attackers to execute arbitrary JavaScript and bypass sanitization filters to steal sensitive data and session tokens, impacting versions 1.6 and 1.5 LTS. Patched versions 1.6.12 and 1.5.12 are available on GitHub. → cybersecuritynews.com |
| 2025-12-18 2025 | DeepChat AI agent XSS-to-RCE via Mermaid and Electron IPC news 4 min read | Writeup detailing CVE-2025-67744, a critical remote code execution vulnerability in DeepChat AI agent versions prior to 0.5.3. Exploiting a combination of unsafe Mermaid diagram rendering and direct Electron IPC exposure in the renderer context, an attacker can escalate from injected JavaScript to arbitrary command execution. This vulnerability highlights emerging risks in AI-driven desktop applications that ingest and render untrusted content. → securityboulevard.com |
| 2025-12-17 2025 | JS-Tap: Weaponizing JavaScript for Red Teams🔴 advanced | https://t.co/m2sW71WuH0 |
| 2025-12-16 2025 | XSS remains as top MITRE software weakness news | Analysis of MITRE's updated Common Weakness Enumeration Top 25 reveals cross-site scripting (XSS) as the leading software weakness for the second consecutive year. SQL injection and cross-site request forgery have climbed to second and third place respectively. New additions include buffer overflows and authorization bypass via user-controlled key, while weaknesses like improper privilege management have been removed. → scworld.com |
| 2025-12-11 2025 | GitLab Patches Multiple Vulnerabilities that Allows Attackers to Trigger XSS and DoS Attack news 1 min read | Patches for GitLab address ten vulnerabilities, including four high-severity flaws like cross-site scripting (XSS) in Wiki functionality (CVSS 8.7), improper encoding in vulnerability reports (CVSS 8.7), XSS in Swagger UI (CVSS 8.0), and a GraphQL denial-of-service (DoS) issue (CVSS 7.5). Other identified risks involve authentication bypass and DoS vulnerabilities targeting ExifTool, the Commit API, and GraphQL endpoints. Affected versions range from pre-18.4.6, 18.5.x before 18.5.4, and 18.6.x before 18.6.2. → cybersecuritynews.com |
| 2025-12-11 2025 | CVE-2025-10573: Ivanti EPM Unauth Stored XSS Fixed news 2 min read | Writeup on CVE-2025-10573 details an unauthenticated stored cross-site scripting vulnerability in Ivanti Endpoint Manager (EPM). An attacker can inject malicious JavaScript via crafted POST requests to `postcgi.exe`, leading to session hijacking when displayed in the management console. The vulnerability, tracked as CVE-2025-10573 with a CVSS score of 9.6, is addressed by Ivanti EPM version 2024 SU4 SR1. The writeup includes an attack narrative and regression test script using `curl` to demonstrate the exploitation and expected SIEM alert generation. → socprime.com |
| 2025-12-10 2025 | Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS news 1 min read | Writeup of CVE-2025-10573, a critical stored XSS vulnerability in Ivanti Endpoint Manager allowing unauthenticated administrator session hijacking. Exploitable via the `/incomingdata/postcgi.exe` endpoint, attackers can inject JavaScript payloads into device scan fields, which are then executed when administrators view device information on dashboards like `frameset.aspx`. The vulnerability stems from insufficient input validation in the `incomingdata` web API. Ivanti has released version 2024 SU4 SR1 to patch this high-severity flaw. → cybersecuritynews.com |
| 2025-12-10 2025 | Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS news 1 min read | Writeup of CVE-2025-10573 details a critical stored XSS vulnerability in Ivanti Endpoint Manager (EPM) allowing unauthenticated attackers to hijack administrator sessions. Exploitation involves injecting JavaScript via the 'incomingdata' web API's processing of device scan data, leading to full administrative control. Versions prior to Ivanti EPM 2024 SU4 SR1 are affected, with a patch released December 9, 2025. This vulnerability, identified by Rapid7, requires immediate patching due to its ease of exploitation and severe impact on remote endpoint management. → cyberpress.org |
| 2025-12-03 2025 | Angular Platform Vulnerability Allows Malicious Code Execution Via Weaponized SVG Animation Files news 2 min read | Library for Angular that addresses CVE-2025-66412, a Stored XSS vulnerability in the template compiler allowing arbitrary code execution via weaponized SVG animation files. This flaw stems from the compiler’s incomplete security schema, failing to sanitize URL-holding attributes and SVG animation elements. Attackers exploit this by binding untrusted data to attributes like `xlink:href` or through dynamic manipulation of SVG animation properties, leading to potential session hijacking and data exfiltration. Upgrading to patched Angular versions or implementing strict Content Security Policy (CSP) headers are recommended mitigations. → cybersecuritynews.com |
| 2025-12-03 2025 | Angular Platform Vulnerability Allows Malicious Code Execution via Weaponized SVG Animation Files news 2 min read | Writeup detailing a stored XSS vulnerability in Angular's template compiler, allowing arbitrary code execution via weaponized SVG animation files. Attackers can bypass sanitization by injecting `javascript:` URLs into attributes like `href` and `xlink:href` within SVG and MathML elements, particularly when combined with `<animate>` tags and attribute binding. This enables session hijacking and data exfiltration. Patches are available in Angular versions 19.2.17, 20.3.15, and 21.0.2, with workarounds including avoiding untrusted data binding and implementing strict CSP headers. → cyberpress.org |
| 2025-12-02 2025 | Entra ID tightens security against XSS attacks intermediate | Library update enhancing Entra ID security against XSS attacks. Microsoft is restricting script execution during login to only those from trusted Microsoft domains, mitigating account hijacking risks via cross-site scripting. This change, implemented through Content Security Policy headers, aligns with the Secure Future Initiative and addresses a persistent threat, as evidenced by Microsoft's mitigation of nearly 1,000 XSS vulnerabilities. Organizations should test their sign-in integrations for compatibility. → scworld.com |
| 2025-11-30 2025 | CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV news 3 min read | Library for securing OpenPLC ScadaBR, addressing CVE-2021-26829 (XSS) and CVE-2021-26828 (unrestricted file upload), both listed on CISA's Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by groups like TwoNet. These vulnerabilities impact Windows and Linux versions, with exploitation involving defacing HMI pages, disabling logs, and uploading web shells. The article also details Out-of-Band Application Security Testing (OAST) infrastructure used to fuel regional exploit operations. → thehackernews.com |
| 2025-11-29 2025 | CISA Warns of OpenPLC ScadaBR cross-site scripting vulnerability Exploited in Attacks news 2 min read | Vulnerability writeup detailing CVE-2021-26829, a critical Cross-Site Scripting (XSS) flaw affecting OpenPLC ScadaBR. This CWE-79 vulnerability, actively exploited in the wild and added to CISA's KEV catalog, allows remote attackers to inject malicious scripts via the system settings interface, potentially hijacking sessions, stealing credentials, or altering configurations in Operational Technology (OT) networks. Mitigations include applying vendor patches, reviewing third-party usage, or discontinuing use if patches are unavailable. → cybersecuritynews.com |
| 2025-11-27 2025 | Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks news 1 min read | Writeup of CVE-2025-54057, a Stored XSS vulnerability in Apache SkyWalking versions up to 10.2.0. This flaw allows attackers to inject and store malicious scripts due to improper neutralization of script-related HTML tags, potentially leading to credential theft and unauthorized access. The Apache Software Foundation has released version 10.3.0 with a patch to mitigate this "important" severity issue. → gbhackers.com |
| 2025-11-27 2025 | Apache SkyWalking Vulnerability Lets Attackers Expose Users to XSS Attacks news 2 min read | Writeup on CVE-2025-54057, a stored XSS vulnerability in Apache SkyWalking versions up to 10.2.0. The flaw allows attackers to inject malicious scripts into the web interface, enabling the execution of unauthorized code in users' browsers. Exploitation can lead to the theft of sensitive information, impersonation of users, and compromise of application data. Apache released version 10.3.0 as a patch, making immediate upgrade the sole mitigation strategy. → cyberpress.org |
| 2025-11-26 2025 | Paris The Thinker and why your WAF should block XSS by default beginner 5 min read | Library that advocates for blocking Cross-Site Scripting (XSS) by default in Web Application Firewalls (WAFs), aligning with the OWASP Top 10's emphasis on injection risks. It highlights the ineffectiveness of alert-only modes and the severe consequences of missed XSS vulnerabilities, including account takeover and application compromise. The library promotes Imperva's WAF, which offers out-of-the-box XSS blocking through a combination of signature and behavior-based detections, reducing dwell time for opportunistic attacks and accelerating mean time to protection. → securityboulevard.com |
| 2025-11-18 2025 | NDSS 2025 - EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search advanced 1 min read | Paper on EvoCrawl, a web crawler utilizing evolutionary search to explore web application code and state, outperforming state-of-the-art scanners with a 59% increase in code coverage and 5x more successful form submissions. EvoCrawl's ability to reach specific application states enabled the discovery of eight zero-day IDOR and XSS vulnerabilities in WordPress, HotCRP, Kanboard, ImpressCMS, and GitLab. → securityboulevard.com |
| 2025-11-16 2025 | Cross-Site Scripting Vulnerability Discovered in Citrix NetScaler ADC and Gateway news 2 min read | Writeup of CVE-2025-12101, a cross-site scripting vulnerability impacting Citrix NetScaler ADC and Gateway, which is actively being weaponized. This flaw enables attackers to inject malicious scripts, leading to session hijacking, credential theft, and malware deployment. Organizations running vulnerable versions, including FIPS and end-of-life deployments, face significant risk, particularly with specific virtual server configurations. Immediate patching to version 14.1-56.73 or 13.1-60.32 is critical. → cyberpress.org |
| 2025-11-13 2025 | Multiple GitLab Vulnerabilities Let Attackers Inject Malicious Prompts to Steal Sensitive Data news 2 min read | Library updates address prompt injection in GitLab Duo's review feature, allowing attackers to steal sensitive data by injecting hidden prompts into merge request comments. Nine other vulnerabilities were patched, including XSS in the Kubernetes proxy, authorization bypass in workflows, information disclosure via GraphQL subscriptions, branch names, and the packages API, as well as path traversal, improper access control in GitLab Pages, and denial-of-service via Markdown. → cybersecuritynews.com |
| 2025-11-13 2025 | Multiple GitLab Vulnerabilities Allow Malicious Prompt Injection and Data Theft news 1 min read | Writeup detailing multiple GitLab vulnerabilities, including CVE-2025-6945 (prompt injection in Duo allowing confidential issue data theft), CVE-2025-11224 (XSS in Kubernetes proxy), and CVE-2025-2615/CVE-2025-7000 (information disclosure via GraphQL and branch names). The report emphasizes the risk of AI features and access control gaps, urging immediate upgrades to patched versions. → cyberpress.org |
| 2025-11-13 2025 | Kibana Vulnerabilities Expose Systems to SSRF and XSS Attacks news 2 min read | Library update addressing Kibana's CVE-2025-37734, an origin validation error within the Observability AI Assistant. This flaw enables Server-Side Request Forgery (SSRF) by allowing attackers to craft forged Origin HTTP headers, potentially leading to unauthorized access to internal systems. Affected Kibana versions include 8.12.0 through 8.19.6, 9.1.0 through 9.1.6, and 9.2.0. Elastic recommends upgrading to versions 8.19.7, 9.1.7, or 9.2.1, or disabling the feature as a temporary mitigation. → gbhackers.com |
| 2025-11-13 2025 | Citrix NetScaler ADC and Gateway Flaw Allows Cross-Site Scripting (XSS) Attacks news 2 min read | Writeup of CVE-2025-12101, a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and Gateway platforms. This medium-severity flaw, CWE-79, allows attackers to inject malicious scripts, potentially leading to session hijacking or credential theft. It impacts various NetScaler versions, including FIPS and end-of-life releases, when configured as a Gateway with specific virtual server types. Cloud Software Group recommends immediate patching to mitigate the risk. → gbhackers.com |
| 2025-11-12 2025 | Citrix NetScaler ADC and Gateway Vulnerability Enables Cross-Site Scripting Attacks news 2 min read | Analysis of CVE-2025-12101, a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and Gateway products. This flaw, categorized under CWE-79, allows attackers to inject malicious scripts, potentially leading to session hijacking. Exploitation requires specific configurations, such as operating as a Gateway or AAA virtual server. Affected versions include various releases of 14.1, 13.1, and 12.1, with end-of-life versions being permanently vulnerable. Immediate upgrades to patched releases or migration from EOL versions are recommended. → cybersecuritynews.com |
| 2025-11-12 2025 | Is It CitrixBleed4? Well No. Is It Good? Also No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) news 5 min read | Writeup detailing CVE-2025-12101, a reflected XSS vulnerability found in Citrix NetScaler's SAML RelayState parameter. The analysis also covers an undocumented memory leak (WT-2025-0089) triggered by a specific AAA virtual server misconfiguration, noting the ongoing fragility of memory management in these appliances. → labs.watchtowr.com |
| 2025-11-12 2025 | Nagios XSS Flaw Allows Remote Execution of Arbitrary JavaScript news 2 min read | Writeup of Nagios XI 2024R2.1 detailing the closure of a cross-site scripting (XSS) vulnerability in the Graph Explorer feature, which allowed for remote JavaScript execution. The update also enhances SNMP management capabilities, introduces new license levels for granular control, and removes support for Ubuntu 20.04. Nagios Core is updated to 4.5.9, with improvements for large-scale network monitoring and distributed checks. → cyberpress.org |
| 2025-11-10 2025 | CVE-2025-31029 Impact Exploitability and Mitigation Steps news | Writeup detailing CVE-2025-31029, an impact exploitability and mitigation analysis. This community-led vulnerability database entry provides insights into a critical cloud security issue, enabling users to evaluate their practices across nine security domains and identify defensive gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2024-13992 Impact Exploitability and Mitigation Steps news | Writeup of CVE-2024-13992, detailing its impact, exploitability, and mitigation steps. This analysis focuses on a cloud vulnerability, offering insights relevant to assessing and strengthening cloud security practices. → wiz.io |
| 2025-11-10 2025 | CVE-2013-10074 Impact Exploitability and Mitigation Steps news | Reference for CVE-2013-10074, detailing its impact, exploitability, and mitigation steps. This vulnerability, documented within the Wiz Cloud Vulnerability Database, highlights potential gaps in cloud security practices. The database aims to provide a community-led resource for understanding and addressing cloud-based threats, offering insights beyond basic security domain assessments. → wiz.io |
| 2025-11-10 2025 | CVE-2024-13993 Impact Exploitability and Mitigation Steps news | Library for identifying and mitigating CVE-2024-13993, a cloud vulnerability. This resource offers detailed analysis, exploitability insights, and practical mitigation steps to safeguard cloud environments against this specific threat. It enables users to assess their security practices and identify defensive gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2018-25119 Impact Exploitability and Mitigation Steps news | Analysis of CVE-2018-25119 details its impact, exploitability, and mitigation steps for cloud security. The Wiz vulnerability database offers free assessments to evaluate cloud security practices across nine domains, identifying defense gaps and benchmarking risk levels, aiming to provide full visibility into cloud workloads. → wiz.io |
| 2025-11-10 2025 | CVE-2021-47689 Impact Exploitability and Mitigation Steps news | Library for understanding CVE-2021-47689, detailing its impact, exploitability, and mitigation steps. This resource focuses on this specific cloud vulnerability, offering insights into how it can be leveraged and how to defend against it. It aims to empower users with the knowledge to assess and address security gaps within their cloud environments. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62076 Impact Exploitability and Mitigation Steps news | Library for researching CVE-2025-62076, detailing its impact, exploitability, and mitigation steps. The entry offers a free vulnerability assessment across nine security domains to benchmark cloud security practices and identify defense gaps. Wiz.io provides this community-led database entry, highlighting its utility for understanding and addressing cloud security vulnerabilities. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62030 Impact Exploitability and Mitigation Steps news | Reference detailing CVE-2025-62030, outlining its impact and exploitability. This entry provides mitigation steps and is part of a community-led vulnerabilities database, offering free assessment across nine security domains to benchmark risk and identify defense gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2025-59556 Impact Exploitability and Mitigation Steps news | Analysis of CVE-2025-59556 details its impact and exploitability within cloud environments. This entry also provides actionable mitigation steps to secure against this specific vulnerability, allowing organizations to assess and improve their cloud security practices across multiple domains and identify potential defense gaps. → wiz.io |
| 2025-11-10 2025 | CVE-2025-62036 Impact Exploitability and Mitigation Steps news | Library for discovering and mitigating CVE-2025-62036 in cloud environments. This resource details the impact and exploitability of the vulnerability, offering practical mitigation steps to secure cloud workloads. It emphasizes achieving full visibility and identifying critical security gaps within cloud infrastructure. → wiz.io |
| 2025-11-07 2025 | NDSS 2025 - YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4 advanced 1 min read | Tool for task-driven web application scanning, YuraScanner, leverages LLMs to autonomously execute tasks and discover deeper application states. It bridges the semantic gap through goal-based agents and extracts semantic information from webpages, making it web application-agnostic. YuraScanner utilizes the XSS engine of Black Widow to test input points, outperforming traditional scanners by identifying new attack surfaces and significantly improving vulnerability detection, as evidenced by the discovery of 12 zero-day XSS vulnerabilities compared to Black Widow's three. → securityboulevard.com |
| 2025-11-06 2025 | CVE-2025-31366 Impact Exploitability and Mitigation Steps news | Library for evaluating cloud security practices, this resource details CVE-2025-31366. It assesses risk levels across nine security domains, identifies defense gaps, and offers a free vulnerability assessment. The database aims to provide full visibility to cloud workloads and validate critical findings. → wiz.io |
| 2025-10-30 2025 | Reflected XSS Flaw Enables Attackers to Evade Amazon CloudFront Protection Using Safari intermediate 2 min read | Writeup detailing a reflected Cross-Site Scripting (XSS) vulnerability on help-ads.target.com that bypasses Amazon CloudFront’s Web Application Firewall (WAF) when exploited using the Safari browser. The flaw leverages Safari's specific handling of URL parsing and reflected script blocks, allowing attackers to execute JavaScript and potentially steal sensitive information like cookies. This underscores the critical need for security testing across diverse browsers and robust output encoding, rather than solely relying on WAF protections. → gbhackers.com |
| 2025-10-29 2025 | Wordpress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack news 2 min read | Library: LiteSpeed Cache Plugin, version 7.5.0.1 and earlier, suffers from CVE-2025-12450, a reflected cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping in URL handling. Exploitable via crafted links requiring user interaction, this flaw allows attackers to execute arbitrary JavaScript, potentially leading to session cookie theft or unauthorized actions. Nicholas Giemsa discovered the vulnerability, and version 7.6 of the plugin has been released with a patch. Administrators should update immediately and consider Web Application Firewalls for additional protection. → cybersecuritynews.com |
| 2025-10-27 2025 | Zimbra ZCS Flaw CVE-2025-27915 Actively Exploited news 2 min read | Writeup of CVE-2025-27915, an actively exploited cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite's Classic Web Client. The flaw arises from insufficient HTML sanitization of iCalendar files, allowing embedded JavaScript in the `ontoggle` attribute to execute within a user's session when a crafted invite is opened. This grants attackers account access for activities like email redirection and data exfiltration. CISA has added it to its Known Exploited Vulnerabilities catalog and urges immediate patching or, if unavailable, disabling the Classic Web Client. The vulnerability is categorized under CWE-79. → thecyberexpress.com |
| 2025-10-27 2025 | Understanding the Threat of XSS (Cross-Site Scripting) beginner 6 min read | Survey of XSS (Cross-Site Scripting) vulnerabilities, detailing how malicious client-side scripts are injected into web pages. It covers Reflected, Stored, and DOM-Based XSS types, their impact including data theft and account compromise, and mitigation strategies like input validation, output encoding, and regular security audits. Notable attacks like those against British Airways and T-Mobile are mentioned as examples of their significant consequences. |
| 2025-10-26 2025 | Multiple GitLab Flaws Could Allow Account Takeover and Stored XSS Attacks news 2 min read | Patches address 15 SAP vulnerabilities, including three critical code injection flaws enabling arbitrary code execution and sensitive data access. These injection vulnerabilities, potentially leading to SQL injection, LDAP injection, or command injection, pose a severe risk to organizational infrastructure. Additional flaws include cross-site scripting (XSS), privilege escalation, authentication bypass, and information disclosure. Organizations should prioritize applying these updates via SAP's standard mechanisms. → cyberpress.org |
| 2025-10-25 2025 | CISA Warns of Zimbra Collaboration Suite (ZCS) XSS Zero-Day Vulnerability Actively Exploited in Attacks news 2 min read | Writeup of CVE-2025-27915, a critical zero-day XSS vulnerability in Synacor's Zimbra Collaboration Suite (ZCS) Classic Web Client. Exploiting improper HTML sanitization in ICS files, attackers can execute arbitrary JavaScript via an ontoggle event handler within a <details> tag, leading to compromised user sessions and malicious email filter creation for data exfiltration. CISA mandates remediation by October 28, 2025, for federal agencies, urging immediate application of vendor mitigations and enhanced email security controls. → cybersecuritynews.com |
| 2025-10-24 2025 | The XSS Threat Isnt Going Away beginner | The article discusses the persistent threat of Cross-Site Scripting (XSS) attacks in the digital landscape. Despite advancements in security measures, XSS vulnerabilities remain prevalent and pose a significant risk to web applications. The article emphasizes the importance of continued vigilance and proactive measures to mitigate XSS threats effectively. → hackernoon.com |
| 2025-10-24 2025 | Law Enforcement Cracks Down on XSS but Will It Last? news | Law enforcement is increasing efforts to combat Cross-Site Scripting (XSS) attacks. The effectiveness and longevity of these crackdowns are questioned. → darkreading.com |
| 2025-10-08 2025 | The Brute Art of Bypass - Unfiltered Edition: Master XSS Filter Evasion intermediate 2 min read | Library for bypassing XSS filters and WAFs, detailing systematic probing, backwards and onwards mapping, exploiting post-filter modifications, encoding variations, and keyword fragmentation. Techniques include mixing JavaScript encodings with HTML entities, moving payloads into DOM text, breaking filter context with comment-newline combos, and exploiting regex flaws. It covers methods like character mutation, HTTP Parameter Pollution, tag blending, and HTML vector bypasses, providing explanations for why each technique works against vendors like CloudFlare, Akamai, Imperva, and Fortinet. |
| 2025-08-14 2025 | Cross Site Scripting (XSS) | OWASP Foundation beginner 11 min read | Reference on Cross-Site Scripting (XSS) attacks, detailing how malicious scripts are injected into trusted websites through unvalidated user input. It categorizes attacks into Reflected, Stored, and DOM-Based XSS, outlines consequences like session hijacking and content manipulation, and points to OWASP resources like the XSS Prevention Cheat Sheet and the OWASP ESAPI project for mitigation techniques. The reference also mentions tools such as Nessus and Nikto for vulnerability scanning. → owasp.org |
| 2025-08-14 2025 | Find SSRF , LFI , XSS using httpx , waybackurls , gf , gau , qsreplace intermediate SSRF | The content discusses utilizing tools like httpx, waybackurls, gf, gau, and qsreplace to identify vulnerabilities such as Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and Cross-Site Scripting (XSS) in web applications. These tools can help security professionals identify and address these common security issues by scanning for them in web applications. |
| 2025-08-14 2025 | How I Found Multiple XSS Vulnerabilities Using Unknown Techniques advanced | The content discusses the discovery of multiple XSS vulnerabilities through the use of undisclosed techniques. It implies that the author has found a method to identify and exploit these vulnerabilities, potentially showcasing a unique approach to uncovering security flaws. The focus is on the process of discovering XSS vulnerabilities rather than detailing specific techniques or findings. → infosecwriteups.com |
| 2025-08-14 2025 | Hunting Blind XSS on the Large Scale — Practical Techniques intermediate 10 min read | Technique for large-scale Blind XSS detection, focusing on identifying vulnerable endpoints through tools like `waymore` and Google Dorking. The methodology involves gathering potential URLs from sources such as the Wayback Machine, filtering them for keywords like "feedback" or "support," and then fuzzing these endpoints with specific payloads designed to bypass WAFs. This approach aids in systematically hunting for Blind XSS vulnerabilities across numerous targets. |
| 2025-08-14 2025 | Mass Hunting Blind XSS Using XSSHunter Express Part 1 intermediate 5 min read | Tool for mass hunting Blind XSS vulnerabilities using XSSHunter Express. This guide details setting up a custom Blind XSS framework with a purchased domain and VPS, covering domain selection, VPS preparation on DigitalOcean, and XSSHunter Express installation via Docker. It also explains how to add custom JavaScript to the server to expedite vulnerability triage, mentioning the use of short domain names and compact payloads as key strategies for effective hunting. |
| 2025-08-14 2025 | A Bunch of Web and XSS Challenges beginner 9 min read | Reference detailing web and XSS challenges, including techniques like copy-paste XSS with AngularJS and connection pooling to delay script loading. It explores exploiting uncommon Content-Type headers such as `text/x,image/gif` and `multipart/mixed` for XSS, and bypassing DOMPurify via `<title>` tag injection and DOM clobbering. The entry also covers leveraging Chrome DevTools Protocol (CDP) and headless mode downloads to achieve XSS and read local files. |
| 2025-08-14 2025 | JS-Tap: Weaponizing JavaScript for Red Teams intermediate 12 min read | Library for red teamers weaponizing JavaScript to attack applications with unknown functionality. JS-Tap provides a generic, unauthenticated payload that instruments the client side, collecting data like IP addresses, OS, browser, typed inputs, URLs visited, cookies, local/session storage, HTML, screenshots, and XHR/Fetch API calls. It operates in "Trap Mode" using an iframe to maintain persistence, or "Implant Mode" by injecting into application JavaScript files. Collected data is accessible via a web-based portal for monitoring and analysis. |
| 2025-08-14 2025 | devanshbatham/Vulnerabilities-Unmasked beginner 14 min read CSRF IDOR | Library of analogies simplifying complex security vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, ClickJacking, Subdomain Takeover, Privilege Escalation, Role-Based Access Control (RBAC) vulnerabilities, Server-Side Request Forgery (SSRF), Vulnerable and Outdated Components, Local File Inclusion (LFI), Denial of Service (DOS), Authentication Bypass, Insecure Direct Object Reference (IDOR), 2FA Bypass, and Race Condition Vulnerability. |
| 2025-08-14 2025 | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters | by Security L intermediate | The content titled "Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters" by Security L provides detailed information and guidance on mastering Cross-Site Scripting (XSS) for individuals participating in bug bounty programs. It aims to help bug bounty hunters understand and effectively exploit XSS vulnerabilities to enhance their skills in identifying and reporting security issues. The guide likely covers various aspects of XSS attacks, techniques, prevention methods, and practical examples to equip readers with the knowledge needed to excel in finding and addressing XSS vulnerabilities in web applications. → infosecwriteups.com |
| 2025-08-14 2025 | https://infosecwriteups.com/bypassing-character-limit-xss-using-spanned-payload-7301ffac226e intermediate | The content discusses a technique to bypass character limits in Cross-Site Scripting (XSS) attacks using a spanned payload. By breaking the payload into smaller parts and using HTML span tags, attackers can evade character restrictions imposed by input fields, allowing them to execute malicious scripts on vulnerable websites. This method enables the injection of longer payloads while avoiding detection, making it a valuable tool for attackers seeking to exploit XSS vulnerabilities. → infosecwriteups.com |
| 2025-08-14 2025 | https://thegrayarea.tech/xss-bypass-for-rich-text-editors-bf5592e555d6 intermediate | The content discusses a method to bypass cross-site scripting (XSS) protections in rich text editors. It explains how attackers can exploit vulnerabilities in these editors to execute malicious scripts. By manipulating the editor's features, attackers can inject harmful code and potentially compromise user data. The article highlights the importance of understanding and mitigating XSS vulnerabilities in web applications, especially those using rich text editors. It serves as a warning to developers to implement proper security measures to prevent such attacks and protect user information. |
| 2025-08-14 2025 | https://heli9.com/reflected-xss/ beginner | The content provided is a link to a webpage discussing Reflected Cross-Site Scripting (XSS) attacks. Reflected XSS occurs when malicious code is injected into a website and then reflected back to the user. This type of attack can be used to steal sensitive information or perform unauthorized actions on behalf of the user. The webpage likely covers how to prevent and mitigate Reflected XSS attacks to protect websites and users from potential security risks. For more detailed information, it is recommended to visit the provided link. |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ intermediate 3 min read RCE SQLi | Survey of application security articles, threads, videos, and tools, highlighting Facebook Reels crop feature bounty, Zoom stored XSS, Facebook zero-click account takeover, io_uring UAF vulnerability (CVE-2022-2602), Apple open redirection, GraphQL pentesting, social engineering guides, insecure CORS, bug bounty automation, smart contract vulnerabilities, mental health for hackers, HTTP Basic Auth, SQL Injection RCE (CVE-2022-44015), RFC analysis, MMORPG CTF challenge, CodeQL for GraphQL, reconnaissance techniques, SSRF deep dives, and EVM chain vulnerability testing with Foundry. |
| 2025-08-14 2025 | XSS.Report beginner | The content provided is simply the title "XSS.Report." It appears to be a reference to cross-site scripting (XSS) vulnerabilities and reporting related to them. The content is concise and does not provide any additional information or context beyond the title itself. |
| 2025-08-14 2025 | https://github.com/yeswehack/vulnerable-code-snippets beginner 2 min read SQLi SSRF | Library of vulnerable code snippets for practicing application security analysis, featuring common vulnerabilities such as Broken Access Control (CWE-284), SQL Injection (CWE-89), Cross-Site Scripting (CWE-79), Server-Side Template Injection (CWE-1336), and Deserialization of Untrusted Data (CWE-502). Each snippet includes a Docker setup for safe, isolated execution, with new examples posted weekly on Twitter. |
| 2025-08-14 2025 | https://portswigger.net/research/our-favourite-community-contributions-to-the-xss-cheat-sheet beginner 2 min read | Reference highlights seven community contributions to the XSS cheat sheet, including @hahwul's missing pointer events, @p4fg's Vue `v-if` vector, @NotSoSecure's AngularJS restriction bypass, @kachakil's AngularJS fix, @davwwwx's attribute injection, @laytonctf's `onbeforeinput` event, and @ladecruze's top-ranked payload using `location`, `atob`, and tagged template strings, with variants utilizing `unescape` and `String.fromCodePoint`. → portswigger.net |
| 2025-08-14 2025 | https://medium.com/bugbountywriteup/chaining-self-xss-with-ui-redressing-is-leading-to-session-hijacking-pwn-users-like-a-boss-efb46249cd14?source=userActivityShare-90814179aa21-1524844320 intermediate | The content discusses a security vulnerability involving chaining self-cross-site scripting (XSS) with UI redressing, leading to session hijacking. By exploiting this vulnerability, attackers can manipulate user interfaces to trick users into performing actions that compromise their accounts. The article details how this technique can be used to gain unauthorized access to user sessions and provides insights on how to prevent such attacks. |
| 2025-08-14 2025 | https://medium.com/@yassergersy/xss-to-session-hijack-6039e11e6a81?source=userActivityShare-90814179aa21-1523676165 intermediate | The content discusses how a Cross-Site Scripting (XSS) vulnerability can be exploited to hijack user sessions. It explains the process of injecting malicious scripts into a website to steal session cookies, allowing an attacker to impersonate the victim. The article emphasizes the importance of preventing XSS attacks through proper input validation and output encoding. It also highlights the significance of using secure coding practices to protect against session hijacking and other security threats. |
| 2025-08-14 2025 | ssl/ezXSS: ezXSS is an easy way for penetration testers and bug bounty hunt beginner 2 min read | Tool for testing (blind) Cross-Site Scripting (XSS) vulnerabilities. ezXSS helps penetration testers and bug bounty hunters find and exploit XSS, including persistent sessions with reverse proxy capabilities. It features an easy-to-use dashboard, instant alerts via multiple channels, and collects extensive data from vulnerable pages, supporting all major browsers. |
| 2025-08-14 2025 | Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting beginner 7 min read | Cheatsheet enumerating 500+ XSS payloads for web application pentesting. It categorizes vulnerabilities into Reflected, Stored, and DOM-Based XSS, providing concrete examples of payloads leveraging various HTML tags, attributes, and encoding techniques, including SVG, CSS expressions, and modified UTF-7 encoding. → gbhackers.com |
| 2025-08-14 2025 | How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords « Null intermediate 8 min read | Library for crafting XSS cookie stealers in JavaScript, this resource details how to leverage JavaScript's capabilities to exfiltrate user cookies containing sensitive information like passwords. It walks through setting up a basic HTML environment, injecting malicious JavaScript to capture cookies, and utilizing a simple PHP script on a controlled server to log the stolen data. The guide highlights the technique's effectiveness when combined with code injection and explains how to redirect compromised users to avoid suspicion. → null-byte.wonderhowto.com |
| 2025-08-14 2025 | Browser's XSS Filter Bypass Cheat SheetMasatokinugawa / filterbypass wiki intermediate 4 min read | Library for bypassing browser XSS filters, covering Chrome/Safari and IE11/Edge. It details techniques for exploiting XSS Auditor and IE/Edge XSS filters, including bypassing filters by inserting strings, leveraging character encodings, and exploiting JavaScript execution within various HTML contexts. Specific bypass methods are provided for scenarios involving SVG, XML, Flash, Angular, Vue.js, and jQuery, often requiring arbitrary tag injection and specific conditions related to same-origin policies or CORS. |
| 2025-08-14 2025 | XSSer automated framework to detect, exploit and report XSS vulnerabilities intermediate 1 min read | Framework for automating detection, exploitation, and reporting of Cross-Site Scripting (XSS) vulnerabilities. XSSer supports GET and POST injection methods, includes filters and bypassing techniques, and offers both command-line and GUI interfaces. It can inject code, leverage search engine dorks, perform multiple injections with automatic payloads, and utilize TOR proxies. Key defenses against XSS include validating input, adhering to patterns, avoiding direct reflection of untrusted data, and context-aware encoding. → gbhackers.com |
| 2025-08-14 2025 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On Securit intermediate 1 min read | Library for automated XSS scanning and payload injection. XSSight, powered by Team Ultimate, identifies vulnerabilities by injecting characters like `/\”<>` and analyzing page source code. It supports injecting XSS payloads to test for conflicts and offers defense recommendations such as validating input, avoiding direct reflection of untrusted data, and using context-aware encoding. → gbhackers.com |
| 2025-08-14 2025 | https://sql--injection.blogspot.co.uk: XSS Cheat Sheet beginner 60 min read | Cheat sheet compiling numerous XSS vectors and payloads. It includes examples for triggering alerts via `onclick`, `onload`, `onerror`, and various other event handlers within HTML elements like `<svg>`, `<img>`, `<button>`, and `<input>`. The resource also demonstrates techniques using `data:` URIs, Unicode escapes, and string manipulation for obfuscation. |
| 2025-08-14 2025 | Sniping Insecure Cookies with XSS intermediate 10 min read | Analysis of an accounting web application reveals how insecure cookie handling, specifically lacking `HttpOnly` and `Secure` flags, combined with a Cross-Site Scripting (XSS) vulnerability, can lead to full account compromise. The session token, implemented as a JSON Web Token (JWT) and stored in a cookie accessible by JavaScript, was susceptible to theft. This enabled an attacker to hijack administrator sessions by capturing the token and potentially manipulating the JWT's user ID if the secret key were weak enough to brute-force. |
| 2025-08-14 2025 | xss-polyglots intermediate | The content provided is a title "xss-polyglots" without any additional information or context. It seems to refer to cross-site scripting (XSS) polyglots, which are payloads that can execute in multiple contexts or languages. The term may relate to security testing, web development, or cybersecurity. |
| 2025-08-14 2025 | qazbnm456/awesome-web-security beginner 23 min read SSRF | Library of curated web security materials and resources covering techniques for Cross-Site Scripting (XSS), Prototype Pollution, CSV Injection, SQL Injection, Command Injection, XXE, CSRF, SSRF, Web Cache Poisoning, and Open Redirects. It also includes resources on SAML, file uploads, Rails, AngularJS, ReactJS, SSL/TLS, and cloud security specific to AWS and Azure, with mentions of CVE-2019-7609. |
| 2025-08-14 2025 | asp.net - Bypass XSS blacklist "", "&" input nvarchar - Stack Overflow intermediate | Library for bypassing XSS blacklists on ASP.NET applications. This resource details a scenario where a blacklisting approach fails to prevent Cross-Site Scripting, even when character inputs like `<`, `>`, and `&` are blocked. The vulnerability arises because the application stores user input in `nvarchar` fields and later outputs it as JavaScript variables. While the JavaScript encoding escapes characters within the string variables, it does not prevent XSS when these variables are rendered into the HTML. → stackoverflow.com |
| 2025-08-14 2025 | tunz/js-vuln-db: A collection of JavaScript engine CVEs with PoCs advanced | "tunz/js-vuln-db" is a repository that contains a collection of Common Vulnerabilities and Exposures (CVEs) related to JavaScript engines, along with Proof of Concepts (PoCs). This resource is likely designed to provide a centralized location for researchers and developers to access information about vulnerabilities in JavaScript engines and explore practical demonstrations of these vulnerabilities. |
| 2025-08-14 2025 | Uber Bug Bounty: Turning Self-XSS into Good-XSS – Jack Whitton intermediate 4 min read | Writeup detailing the exploitation of a self-XSS vulnerability on Uber's Partners portal. The author demonstrates chaining this self-XSS with two CSRF vulnerabilities in Uber's OAuth login and logout flows. This chain allows an attacker to log a victim out of their Uber Partners session, log them into the attacker's account, execute malicious JavaScript in the victim's context, and then log them back into their own account, all while maintaining an active session for data exfiltration. The technique leverages Content Security Policy (CSP) to selectively block redirects and facilitate the cross-account session manipulation. |
| 2025-08-14 2025 | Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability C intermediate 8 min read | Library for detecting and exploiting Cross-Site Script Inclusion (XSSI) vulnerabilities, which are often overlooked but can lead to sensitive data leakage, circumvention of token-based protection, and account compromise. The library aids penetration testers by identifying dynamic JavaScript and JavaScript accessible only when authenticated. It analyzes scripts, compares content before and after cookie removal, and highlights discrepancies, assisting in the discovery of vulnerabilities like those involving ambient-authority information in JSONP or sensitive data within global variables. |
| 2025-08-14 2025 | Respect XSS beginner 4 min read | Writeup detailing a cross-site scripting (XSS) vulnerability affecting both SharePoint on-premises and online versions. This vulnerability, which earned a $2500 bounty, is triggered by manipulating the `SiteName` GET parameter within the "Follow Site" feature, allowing for payloads like `-confirm(document.domain)-` to be injected. The writeup includes exploitation examples and a timeline of the vulnerability's reporting and resolution by Microsoft. |
| 2025-08-14 2025 | The misunderstood X-XSS-Protection beginner | The content seems to focus on the X-XSS-Protection header, which is a security feature designed to mitigate cross-site scripting (XSS) attacks on websites. However, the content itself is very brief and lacks specific details or explanations about the misunderstood aspects of the X-XSS-Protection header. It suggests that there may be misconceptions or confusion surrounding this security measure. |
| 2025-08-14 2025 | XSS Hunter beginner | XSS Hunter is a tool used for detecting cross-site scripting (XSS) vulnerabilities in web applications. It helps security professionals identify and remediate XSS vulnerabilities by simulating attacks and capturing exploit attempts. XSS Hunter assists in understanding how attackers can exploit XSS vulnerabilities and provides insights into potential security weaknesses in web applications. By using XSS Hunter, security teams can proactively address XSS vulnerabilities and enhance the overall security posture of their web applications. |
| 2025-08-14 2025 | XSS without HTML: Client-Side Template Injection with AngularJS : netsec advanced | The content discusses a security vulnerability known as Client-Side Template Injection with AngularJS, which can lead to cross-site scripting (XSS) attacks without the use of traditional HTML. This type of vulnerability allows attackers to inject malicious templates into AngularJS applications, potentially compromising user data and security. The article likely delves into the technical details and implications of this security issue within the context of web development and security. |
| 2025-08-14 2025 | Cross Site Scripting Payloads ≈ Packet Storm beginner 8 min read | Library of Cross-Site Scripting (XSS) payloads hosted on Packet Storm Security, offering a collection of common and less common injection strings. Users access this resource by agreeing to terms that govern intellectual property, user representations, prohibited activities, and data usage, with provisions for user-generated contributions and the site's proprietary content. |
| 2025-08-14 2025 | How I Stole Plunker Session Tokens With Angular Expressions intermediate 7 min read | Writeup detailing an Angular Expression Injection vulnerability in Plunker, allowing for Plunker session token theft. The exploit leverages user input within the Twitter title meta tag, which is then evaluated by AngularJS, to steal session IDs by embedding them in image tags that send requests to a controlled server. The vulnerability was quickly patched by adding `ng-non-bindable` to the meta tag. |
| 2025-08-14 2025 | XSS Payloads beginner | The content provided is a brief mention of "XSS Payloads." This likely refers to malicious code or scripts that are used in cross-site scripting (XSS) attacks. XSS payloads are designed to exploit vulnerabilities in web applications, allowing attackers to inject and execute their own code on a targeted website. These payloads can be used to steal sensitive information, manipulate content, or perform other malicious actions. It is important for web developers and security professionals to be aware of XSS payloads and implement measures to prevent such attacks. |
| 2025-08-14 2025 | web application - Cross Site Scripting without special chars - Information intermediate | Technique for bypassing XSS filters that disallow equals signs and parentheses involves injecting null bytes (`%00`) to break string recognition and finding single-character bypasses within a restricted character set ({ : / & @ - < > \ . , ' " }). This method aims to execute JavaScript when traditional injection vectors are blocked, especially when filters lack character conversion. |
| 2025-08-14 2025 | mandatoryprogrammer/xssless: An automated XSS payload generator written in intermediate 2 min read | Tool for automated XSS payload generation. This Python script utilizes Burp proxy exports to create asynchronous, browser-friendly payloads. It supports CSRF token extraction, multipart POST requests, file uploads, and dynamic, self-propagating payloads for creating JavaScript worms. Payloads are optimized but recommend further minimization. |
| 2025-08-14 2025 | Collection of Cross-Site Scripting (XSS) Payloads ~ SmeegeSec beginner 3 min read | Collection of 298 Cross-Site Scripting (XSS) payloads, including HTML5 specific examples, suitable for fuzzing applications for reflective and persistent vulnerabilities. This resource can be used as a reference list or integrated into tools like Burp Intruder for payload submission. Payloads cover various injection techniques, including those using `javascript:`, `<script>`, `<svg>`, `<style>`, and `expression()` properties. |
| 2025-08-14 2025 | Excess XSS: A comprehensive tutorial on cross-site scripting beginner 21 min read | Tutorial detailing Cross-Site Scripting (XSS) attacks, explaining how attackers inject malicious JavaScript into websites to compromise user browsers. It covers the three main XSS types: Persistent XSS originating from the database, Reflected XSS from user requests, and DOM-based XSS exploiting client-side code. The tutorial illustrates techniques like session cookie theft via `document.cookie`, keystroke logging with `addEventListener`, and credential harvesting through fake login forms. |
| 2025-08-14 2025 | What is Cross-site Scripting and How Can You Fix it? beginner 9 min read | Guide to Cross-Site Scripting (XSS) explaining how attackers inject malicious scripts into legitimate web pages to execute code in a victim's browser. It details risks like cookie theft, website defacement, and advanced attacks such as phishing and identity theft. The guide categorizes XSS into stored, reflected, and DOM-based types, illustrating how vulnerabilities arise from unsanitized user input and providing examples of attack vectors, including using the `<script>` tag and manipulating `XMLHttpRequest`. → acunetix.com |
| 2025-08-14 2025 | www.vulnerability-lab.com/resources/documents/531.txt beginner | The content provided is a URL link to a text document hosted on the vulnerability-lab website. The document itself is not included in the request, so the specific information it contains is unknown. It is important to exercise caution when accessing such links, as they may contain sensitive or potentially harmful information related to vulnerabilities or security issues. |
| 2025-08-14 2025 | HTML5 Security CheatsheetWhat your browser does when you look away... intermediate | The content seems to be about HTML5 security and what happens when a user is not actively looking at their browser. It likely discusses potential security risks or actions that browsers may take in the background related to HTML5 technology. |
| 2025-08-14 2025 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP beginner 18 min read | Reference detailing XSS prevention techniques, emphasizing the necessity of combining defensive measures. It highlights how modern frameworks like React and Angular mitigate XSS through templating and auto-escaping, yet points out potential vulnerabilities when these frameworks are used insecurely, such as with React's `dangerouslySetInnerHTML` or Angular's `bypassSecurityTrustAs*` functions. The guide stresses the importance of output encoding, including HTML entity, attribute, JavaScript, CSS, and URL encoding, with specific advice on safe sinks like `.textContent` and `.setAttribute`. → owasp.org |
| 2025-08-14 2025 | https://medium.com/m/global-identity?redirectUrl=https://infosecwriteups.com/reflected-xss-dvwa-an-exploit-with-real-world-consequences-stackzero-171cfb2d87d2?source=rss----7b722bfd1b8d---4 intermediate | The content discusses a real-world exploit involving Reflected Cross-Site Scripting (XSS) in DVWA (Damn Vulnerable Web Application) with serious consequences. It highlights the impact of XSS vulnerabilities and the importance of secure coding practices to prevent such exploits. The article likely provides insights into the exploit, its implications, and ways to mitigate XSS vulnerabilities in web applications. |
| 2025-08-14 2025 | An unusual way to find XSS injection in one minute | Medium intermediate | The content appears to be about a unique method for quickly identifying cross-site scripting (XSS) vulnerabilities in web applications. The approach likely offers a rapid and efficient way to detect XSS injections within a minute, providing valuable insights into potential security weaknesses. The article may delve into the specifics of this unconventional technique and its effectiveness in identifying and mitigating XSS vulnerabilities. |
| 2025-08-14 2025 | Lab: Reflected DOM XSS | Web Security Academy intermediate 1 min read | Lab demonstrates Reflected DOM XSS by exploiting an `eval()` function call that processes an unescaped JSON response. By crafting a specific search term, `"-alert(1)}//`, and leveraging the lack of backslash escaping, the entry injects JavaScript code, causing an `alert(1)` to execute within the browser. The technique involves canceling out quotation mark escaping and commenting out the remainder of the JSON object. → portswigger.net |
| 2025-08-14 2025 | 10 Types of Web Vulnerabilities that are Often Missed - Detectify Labs beginner 16 min read SSRF XXE | Library detailing often-missed web vulnerabilities, including HTTP/2 Smuggling, XXE via Office Open XML Parsers, SSRF via XSS in PDF Generators, and XSS via SVG files. This resource explores obscure bug classes and less common delivery methods for traditional vulnerabilities, offering insights beyond the OWASP Top 10. It references research from Detectify Labs, Hakluke, Farah Hawa, Wallarm, and James Kettle, and mentions tools like http2smugl. → labs.detectify.com |
| 2025-08-14 2025 | https://github.com/mandatoryprogrammer/xsshunter-express intermediate 4 min read | Library for rapidly setting up XSS Hunter to detect blind cross-site scripting. This Dockerized application automates TLS/SSL certificate generation via Let's Encrypt and offers optional email notifications for payload fires, storing detailed probe data including DOM, cookies, user agent, and full screenshots. It supports correlated injections with compatible tools, secondary payload loading, and a minimized attack surface by disabling the web control panel. |
| 2025-08-14 2025 | https://www.bugcrowd.com/blog/the-ultimate-guide-to-finding-and-escalating-xss-bugs/?utm_campaign=XSS-BUGS-4.6-FB&utm_medium=social&utm_source=facebook#accept intermediate | The content discusses a comprehensive guide on finding and escalating XSS (Cross-Site Scripting) bugs. It covers various techniques and tools to identify XSS vulnerabilities in web applications, including manual testing and automated scanners. The guide emphasizes the importance of understanding different types of XSS attacks and provides tips on how to effectively report and escalate these issues to maximize impact. It also highlights the significance of responsible disclosure and collaboration between security researchers and organizations to address XSS vulnerabilities promptly. → bugcrowd.com |
| 2025-08-14 2025 | https://www.hackingarticles.in/burp-suite-for-pentester-hackbar/ intermediate 9 min read Burp XXE | Library for Burp Suite that accelerates manual penetration testing by automating payload insertion for various vulnerabilities. HackBar offers dropdown lists with pre-defined payloads for SQL Injection, Cross-Site Scripting, Local File Inclusion, XXE Injection, and OS Command Injection, streamlining the process of testing and exploiting these common web application flaws. |
| 2025-08-14 2025 | https://corneacristian.medium.com/top-25-xss-bug-bounty-reports-b3c90e2288c8 intermediate | The content discusses the top 25 XSS (Cross-Site Scripting) bug bounty reports, highlighting successful findings in various platforms. It showcases real-world examples of XSS vulnerabilities discovered by security researchers through bug bounty programs. The reports cover a range of websites and applications, emphasizing the importance of identifying and reporting XSS flaws to enhance cybersecurity. The article serves as a valuable resource for understanding XSS vulnerabilities and the impact they can have on web security. → corneacristian.medium.com |
| 2025-08-14 2025 | https://github.com/terjanq/Tiny-XSS-Payloads beginner 1 min read | Library of concise XSS payloads targeting various contexts. Examples include `<svg/onload=eval(name)>` when controlling the `name` attribute, `<iframe/onload=src=top.name>` for `<iframe>` manipulation, and `<style/onload=eval(name)>` for inline style execution. The collection also features payloads utilizing `import()` for external script execution and offers deprecated payloads for specific browser versions. |
| 2025-08-14 2025 | Documenting the impossible: Unexploitable XSS labs | PortSwigger Research advanced 3 min read | Labs detailing unexploitable XSS scenarios, including challenges like unclosed tag bypasses, JavaScript variable injections with escaped characters, query string processing with `innerHTML`, attribute length limitations, frameset injections, and minimal arbitrary code execution via `alert()`. These labs, presented as challenges on the PortSwigger XSS cheat sheet, aim to solidify understanding when exploitation proves difficult, offering confidence that a vulnerability may indeed be unexploitable if matching these specific, tricky conditions. → portswigger.net |
| 2025-08-14 2025 | $20000 Facebook DOM XSS : Vinoth Kumar news | The content appears to be a brief mention of a $20,000 reward offered by Facebook for discovering a DOM XSS vulnerability. The discovery was made by Vinoth Kumar. This type of vulnerability can allow attackers to manipulate a website's content and potentially compromise user data. |
| 2025-08-14 2025 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate 4 min read Bug Bounty CSRF | Analysis of SameSite by Default's impact on bug bounty hunting reveals that while it aims to mitigate CSRF, it significantly affects other client-side vulnerabilities. Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP leaks, Data Exfiltration, XSLeaks, and Cross-Site WebSocket Hijacking are all impacted due to the inability of cross-origin requests to carry cookies. While CORS misconfigurations and some XSS scenarios might have workarounds, the change fundamentally alters the landscape for exploiting these vulnerabilities. |
| 2025-08-14 2025 | Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security Academ beginner 16 min read | Cheatsheet of Cross-Site Scripting (XSS) vectors, this resource details numerous techniques for bypassing Web Application Firewalls and filters. It categorizes vectors by event handlers like `onanimationcancel`, `onscrollend`, and `onwebkitanimationiteration`, or by consuming tags. Specific bypass methods are provided, including those avoiding parentheses, quotes, or spaces through exception handling and location hash evaluation, as well as hoisting techniques involving undefined variables, functions, and classes, and utilizing `window.name` or ES6 template strings. → portswigger.net |
| 2025-08-14 2025 | https://labs.nettitude.com/blog/cross-site-scripting-xss-payload-generator/ intermediate 4 min read | Library for generating obfuscated Cross-Site Scripting (XSS) payloads to bypass output encoding and character blacklisting filters. It offers various payload actions, including loading external scripts, invoking URL requests, or executing custom JavaScript snippets. Obfuscation methods include `eval()`, Base64 with `atob()`, string reversal, `String.fromCharCode()`, and hex codes. The library supports different injection types, such as breaking out of element attributes or using SVG `onload` events, and includes 0xsobky's XSS polyglot. |
| 2025-08-14 2025 | https://sametsahin.net/posts/steal-csrf-tokens-with-simple-xss/ intermediate 2 min read | Writeup detailing a simple cross-site scripting (XSS) technique capable of stealing CSRF tokens. This method leverages basic XSS payloads to exfiltrate sensitive tokens, potentially leading to unauthorized actions on behalf of the user. The article highlights the importance of robust CSRF protection mechanisms in web applications to prevent such attacks. |
| 2025-08-14 2025 | https://gauravnarwani.com/xssed-my-way-to-1000/ intermediate 3 min read | Writeup of a Synack bug bounty case study detailing a reflected XSS filter bypass that earned $1000+. The analysis focuses on bypassing input restrictions using character encoding like `%0A` and exploiting JavaScript execution flow by inserting an `else` block to trigger `alert('XSS')` when direct payload injection failed due to `if (false)` conditions and unclosed parentheses. |
| 2025-08-14 2025 | https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md intermediate 1 min read | Collection of JavaScript Cross-Site Scripting (XSS) payloads, specifically demonstrating techniques to execute `alert(23)` without using parentheses. This resource includes a wide variety of bypasses and creative methods, often leveraging unusual JavaScript features, object prototypes, and browser-specific quirks to achieve execution, such as manipulating `onerror`, `setTimeout`, `eval`, and various string manipulation techniques. |
| 2025-08-14 2025 | How to identify whether XSS is reflected or DOM based? intermediate | The content discusses methods to determine if a Cross-Site Scripting (XSS) vulnerability is reflected or DOM-based. This distinction is crucial for understanding how the attack is executed and mitigated. By analyzing the source of the vulnerability and its impact on the Document Object Model (DOM), security professionals can effectively identify and address XSS threats. Understanding the nature of XSS helps in implementing appropriate security measures to prevent exploitation and protect web applications from malicious attacks. |
| 2025-08-14 2025 | DOM XSS Intro beginner | The content is a brief introduction to DOM-based Cross-Site Scripting (XSS) without providing specific details or explanations. DOM XSS is a type of XSS attack that occurs when client-side scripts manipulate the Document Object Model (DOM) in a way that allows malicious scripts to be executed in a victim's browser. This summary captures the essence of the topic without delving into further details or examples. |
| 2025-08-14 2025 | Reflected XSS via AngularJS Template Injection | Hostinger intermediate | The content title mentions "Reflected XSS via AngularJS Template Injection" on Hostinger. This indicates a security vulnerability where attackers can inject malicious code into AngularJS templates, leading to cross-site scripting (XSS) attacks. The vulnerability allows attackers to execute scripts in the context of a user's browser, potentially compromising sensitive data or performing unauthorized actions on the affected website. It highlights the importance of securing web applications against such vulnerabilities to prevent exploitation and protect user data. |
| 2025-08-14 2025 | How I Found Stored XSS in Yahoo! intermediate | The content provided is a title stating "How I Found Stored XSS in Yahoo!". It suggests that the author discovered a stored cross-site scripting (XSS) vulnerability in Yahoo's system. The title implies that the author will likely share their experience, methodology, and findings related to identifying and exploiting this security flaw in Yahoo's platform. |
| 2025-08-14 2025 | What is XSS? Cross-site Scripting Explained beginner | Cross-site scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive information, unauthorized access, and other malicious activities. XSS exploits the trust a user has for a particular website, allowing attackers to execute scripts in the victim's browser. It is crucial for developers to implement proper security measures to prevent XSS attacks, such as input validation and output encoding. Understanding XSS and its implications is essential for maintaining the security of web applications. |
| 2025-08-14 2025 | s0md3v/AwesomeXSS intermediate 4 min read | Library of XSS resources, including challenges, tools, and payloads. It details numerous XSS vectors and bypass techniques, referencing specific sinks and sources from domxsswiki. Examples include SVG onload events, JavaScript context breaking with encoded characters, attribute injection using polyglots, and bypassing filters by omitting spaces, quotes, or the equal sign in payloads. The resource also provides methods for shortening URLs and avoiding common XSS detection keywords like "alert." |
| 2025-08-14 2025 | Demonstrating Reflected versus DOM Based XSS intermediate 7 min read | Library demonstrating DOM-based XSS exploitation in the OWASP Juice Shop, contrasting it with Reflected XSS in Altoro Mutual. The post details how to construct a malicious server to steal user cookies, extract JWTs, and retrieve password hashes, showcasing the effectiveness of DOM-based XSS against typical security measures. |
| 2025-08-14 2025 | https://medium.com/bugbountywriteup/how-i-found-a-xss-vulnerability-within-the-response-field-64a3b7d159ed?source=userActivityShare-90814179aa21-1528434838 intermediate | The content discusses how a security researcher discovered a cross-site scripting (XSS) vulnerability within a response field. The researcher explains the steps taken to identify and exploit the vulnerability, highlighting the importance of thorough testing and responsible disclosure. The article serves as a valuable resource for understanding XSS vulnerabilities and the process of reporting them for responsible disclosure. |
| 2025-04-23 2025 | Cross-Site WebSocket Hijacking Exploitation in 2025 - Include Security Research Blog intermediate 10 min read | Analysis of Cross-Site WebSocket Hijacking (CSWSH) exploitation, detailing how browser security improvements like Third Party Cookie Restrictions, Private Network Access, SameSite=Lax by default, and Firefox's Total Cookie Protection increasingly limit its effectiveness. It recaps CSWSH prerequisites, including cookie-based authentication with SameSite=None and missing Origin validation on WebSocket servers, and explores how these mitigations impact exploitability through case studies. |
| 2025-04-11 2025 | XSS payloads for href beginner | XSS payloads for href. GitHub Gist: instantly share code, notes, and snippets. |
| 2025-04-09 2025 | Controlling XSS Using A Secure WebSocket CLI - InfoSec Write-ups intermediate | When experimenting with Cross-Site Scripting (XSS), what’s the quickest way to test multiple payloads efficiently? Not long ago, I set up an XSS server that serves remote payloads, which can easily… → infosecwriteups.com |
| 2025-04-09 2025 | From Recon to Exploits: Uncovering XSS, Open Redirects, and More using this script intermediate Bug Bounty Recon | Step by Step guide to hunt info disclosure, xss and more → osintteam.blog |
| 2025-04-01 2025 | GitHub - Leviticus-Triage/XSS_Hunter: Ein Framework zur automatisierten Erkennung und Exploitation von XSS-Schwachstellen intermediate 4 min read | Framework for automated detection and exploitation of XSS vulnerabilities. It leverages machine learning for payload generation, WAF detection and evasion, and robust vulnerability validation. Features include scan, exploit, payload, and report modes, with options for screenshots, callback servers for blind XSS, and various validation levels for accuracy. It supports authenticated scans and DOM-based XSS detection. |
| 2025-03-31 2025 | Javascript Recon for Bug Bounty & Pentesting intermediate Bug Bounty Recon | Hidden endpoints, secrets, and DOM XSS using Automated JS Analysis |
| 2025-03-30 2025 | Stored XSS in My Flow To RCE in Opera Browser #2 - Renwa - Medium intermediate Bug Bounty RCE | Hey Opera team, after your great response and bounties with previous reports motivated me to look more into the program and find more bugs, luckily I found a critical bug in My Flow that allow an… |
| 2025-02-20 2025 | How I got a Stored XSS by searching through JS files. intermediate Bug Bounty | Hello Friend, I’m gonna talk about a simple Stored XSS vulnerability I did find in a private bug bounty program at Bugcrowd by searching in… |
| 2025-02-01 2025 | Tiny XSS Payloads beginner | A collection of small XSS payloads |
| 2025-01-28 2025 | domloggerpp/.github/images/firefox_manual.png at main · kevin-mizu/domloggerpp · GitHub intermediate | A browser extension that allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations. - kevin-mizu/domloggerpp |
| 2025-01-28 2025 | Cross Site Scripting - Payloads All The Things intermediate 10 min read | Reference containing a comprehensive collection of Cross-Site Scripting (XSS) payloads and techniques. It details reflected, stored, and DOM-based XSS, offering proof-of-concept examples for data exfiltration and session hijacking, including payloads for HTML, SVG, and various HTML5 tags. The resource also lists tools like XSSStrike, xsser, Dalfox, and XSpear for identifying XSS vulnerabilities. |
| 2025-01-23 2025 | XSS Penetration Testing Tool | Advanced Web Security for Pen Testers intermediate 4 min read | Tool for automated XSS detection, supporting 4500+ payloads and WAF bypass. It handles GET and POST requests, scans all parameters, and identifies Reflected, Stored, DOM-based, and Blind XSS vulnerabilities. Features include blind XSS automation, real-time feedback on confirmed alerts and WAF detection, and generation of detailed HTML, PDF, CSV, and JSON reports. Businesses can request a 48-hour trial license. |
| 2025-01-19 2025 | Google XSS Game beginner | Warning: You are entering the XSS game area |
| 2024-12-31 2024 | GitHub - 11whoami99/XSS-keylogger: A Simple JS code to keylogger data and send it to the personal server intermediate | A Simple JS code to keylogger data and send it to the personal server - 11whoami99/XSS-keylogger |
| 2024-12-21 2024 | GitHub - Cybersecurity-Ethical-Hacker/xssdynagen: 🪄 XSSDynaGen is a tool designed to analyze URLs with parameters, identify the characters allowed by the server, and generate advanced XSS payloads based on the analysis results. intermediate 6 min read Fuzzing | Library for dynamic XSS payload generation; analyzes URLs with parameters to identify server-allowed characters and constructs advanced payloads. Features asynchronous processing, parameter character testing with canary-based reflection verification, customizable character sets, and advanced evasion techniques like null bytes and Unicode encoding. Supports batch processing, proxy routing (Burp Suite, ZAP, mitmproxy), configurable rate limiting, and automatic retries. Output includes structured JSON with detailed analysis and generated payloads, or plain text. |
| 2024-11-15 2024 | GreHack 2024 | Playing with HTML parsing to bypass DOMPurify on default configuration advanced 6 min read | Slides from GreHack 2024 detail techniques for bypassing DOMPurify's default configuration through HTML parsing manipulation. The presentation covers exploiting DOMPurify versions 2.0.0, 3.0.0, 3.1.0, 3.1.1, and 3.1.2, demonstrating vulnerabilities related to node flattening, insertion modes, namespace switching, DOM clobbering, and attribute sanitization. It highlights specific bypasses achieved by leveraging HTML integration points, nested structures, and mutated elements to achieve cross-site scripting. |
| 2024-11-13 2024 | JavaScript for Hacking Made Easy: Expert Guide beginner 24 min read | Guide to using JavaScript for ethical hacking, detailing how its client-side execution enables attacks like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). It introduces the browser's developer console for debugging and analysis, and demonstrates vulnerability identification using OWASP ZAP against targets like Damn Vulnerable Web Application (DVWA). |
| 2024-11-13 2024 | [HackerNotes Ep.95 & Ep.96] Cookies, Caching & Attacking Chrome Extensions with MatanBer advanced 21 min read Talks | Library for understanding and attacking browser extensions, covering components like content scripts, service workers, extension pages, and the manifest file. It details techniques for gaining source code access, exploiting extension scoping, and attacking content scripts via DOM injection and clickjacking, as well as extension and service worker pages through misconfigurations and message-passing APIs. The resource also includes insights on debugging extensions and notes on cookie parsing behaviors from the HeroV6 CTF writeup. |
| 2024-11-10 2024 | GitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids) intermediate 3 min read XXE | Library for embedding XXE and XSS payloads within common document formats like docx, odt, and pptx. Docem automates the process of replacing placeholder "magic symbols" in a sample document with specified payloads, offering granular control over payload placement per document, per file, or per placeholder. It serves as a more convenient alternative to tools like oxml_xxe when generating numerous poisoned documents. |
| 2024-11-01 2024 | XSS Payloads beginner | XSS Payloads web site |
| 2024-10-03 2024 | CSP Bypass Search intermediate | CSP Bypass Search |
| 2024-09-26 2024 | Simplifying XSS Detection with Nuclei - A New Approach intermediate 4 min read | Library for simplifying XSS detection, leveraging Nuclei's headless mode and the `waitdialog` action. This technique mimics real user interactions by running JavaScript, allowing for detection of XSS payload execution via JavaScript dialogs rather than relying on complex, target-specific reflection-based string matchers. The headless approach offers higher accuracy and reduced complexity, making XSS detection more consistent across different web applications. |
| 2024-09-24 2024 | xssorRecon/xss0rRecon.sh at main · xss0r/xssorRecon beginner 25 min read Bug Bounty Recon | Library for automated web application security reconnaissance and XSS vulnerability detection. This tool streamlines the process of identifying potential XSS attack vectors by performing domain enumeration, URL crawling, parameter analysis, and utilizing specific sub-tools like HiddenParamFinder. It aims to prepare for and launch XSS detection, offering options for path-based XSS and domain input searches, and includes a guide for deploying the tool on VPS servers for continuous operation. |
| 2024-09-23 2024 | GitHub - Emoe/kxss: This a adaption of tomnomnom's kxss tool with a different output format intermediate | Tool, a Go adaptation of tomnomnom's kxss, modifies the output format for improved grepability in recon scripts. It processes URLs to identify unfiltered characters like single quotes, double quotes, and angle brackets within parameters, presenting findings in a structured URL: [param] Unfiltered: [chars] format. Installation is handled via `go get github.com/Emoe/kxss`, and usage involves piping URLs to the executable. |
| 2024-09-22 2024 | DOM-based XSS: Exploiting `document.write` with `location.search` intermediate | Cross-Site Scripting (XSS) vulnerabilities pose significant risks to web applications by allowing attackers to inject malicious scripts… |
| 2024-09-13 2024 | GitHub - xss0r/xssorRecon: Automate Recon XSS Bug Bounty beginner Bug Bounty Recon | Library for automating XSS bug bounty reconnaissance. This tool requires downloading and extracting various files, including tools and wordlists, to a single directory for proper operation. Users can access a free five-day Pro plan license from the 10th to the 15th of each month via store.xss0r.com to explore the full functionality before potential purchase. |
| 2024-09-07 2024 | lostools/xsspollygots.txt at coffin · coffinsp/lostools intermediate | Contribute to coffinsp/lostools development by creating an account on GitHub. |
| 2024-09-01 2024 | Bypassing CSP via URL Parser Confusions : XSS on Netlify’s Image CDN advanced | Heyyy Everyonee, |
| 2024-08-24 2024 | Top 10 XSS Payloads beginner | Those are the most useful payloads to prove the vast majority of Cross Site Scripting (XSS) vulnerabilities out there. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp RCE SQLi | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover news API Sec AuthN | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. → darkreading.com |
| 2024-07-22 2024 | DOM-based Cross-Site Scripting Attack in Depth - GeeksforGeeks beginner 3 min read | Guide to DOM-based Cross-Site Scripting detailing how attackers manipulate the Document Object Model on the client-side, bypassing server-side protections. It explains how payloads are executed by legitimate JavaScript after the victim clicks a crafted URL, leading to session hijacking, cookie theft, and sensitive data compromise. The guide recommends using tools like Burp Suite for detection and emphasizes sanitizing JavaScript input, using secure frameworks like AngularJS and React, and avoiding vulnerable source attributes like `location.href`. → geeksforgeeks.org |
| 2024-07-22 2024 | Understanding DOM-Based XSS: Sources and Sinks intermediate | This post assumes the reader has some knowledge on HTML, JavaScript (JS), and Cross-site scripting (XSS). I still try to explain some of… |
| 2024-07-22 2024 | Best Approach to DOM XSS intermediate | First of we need to understand the nature of this vulnerability and how it occurs , then we proceed to look forward to how to detect and… |
| 2024-07-22 2024 | DOM XSS: What Is DOM-based Cross-Site Scripting And How can you Prevent it? beginner 6 min read | Library detailing DOM-based Cross-Site Scripting (DOM XSS) vulnerabilities, which affect up to 50% of websites, impacting companies like Google, Yahoo, and Amazon. It explains how this client-side vulnerability occurs when malicious JavaScript alters the Document Object Model, enabling attackers to exploit sources like `document.URL` and sinks such as `document.write` or `innerHTML` to execute arbitrary code and steal sensitive data. The resource differentiates DOM XSS from reflected and stored XSS, highlighting its client-side root cause and the necessity for client-side code sanitization and careful handling of client data. |
| 2024-07-22 2024 | DOM Based XSS | Tutorial & Examples | Snyk Learn | Snyk Learn beginner 3 min read | Tutorial on DOM XSS vulnerabilities, explaining how attackers manipulate the Document Object Model with client-side code injected via user-controllable sources like `eval()`, `document.write()`, or `innerHTML` sinks. It demonstrates exploiting a personalized profile color feature by escaping URL query parameters and recommends mitigating this by directly assigning color values to `document.body.style.color`, sanitizing input with libraries like `node-esapi`, or employing Content Security Policy (CSP) with nonces. |
| 2024-07-22 2024 | DOM-Based Cross-Site Scripting (DOM XSS) Explained beginner | 👍👍👍 and subscribe for more DOM XSS tutorials: https://www.youtube.com/channel/UC2vVVgKKzN-Gb_xeaUY0o-Q?sub_confirmation=1Check out my best selling AppSec ... |
| 2024-07-22 2024 | What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy beginner 8 min read | Tutorial on DOM-based XSS vulnerabilities, detailing how JavaScript sources like `window.location` can pass attacker-controllable data to sinks such as `eval()` or `innerHTML`, enabling malicious JavaScript execution. It covers manual testing techniques using browser developer tools to inspect HTML and JavaScript execution sinks, and introduces Burp Suite's DOM Invader extension for automated detection. The tutorial also explores exploiting DOM XSS through various sinks like `document.write()` and `innerHTML`, including examples with third-party dependencies like jQuery's `attr()` and `$()` functions. → portswigger.net |
| 2024-07-22 2024 | DOM Based XSS | OWASP Foundation beginner 5 min read Bug Bounty | Reference detailing DOM-based XSS (Type-0 XSS), a vulnerability where client-side scripts execute unexpectedly due to malicious modifications of the DOM environment, not the HTTP response itself. It provides examples, including a `decodeURIComponent` vulnerability and the fragment-based technique to bypass server-side detection, and mentions attacks against Adobe PDF plugins. The entry also references testing tools like DOM Snitch and the DOM XSS Wiki. → owasp.org |
| 2023-12-20 2023 | XSSRF : The Matrimony of XSS and SSRF. advanced SSRF | The content discusses the concept of XSSRF, which is the combination of Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). This fusion poses a significant security risk by allowing attackers to manipulate server requests through XSS vulnerabilities. The term "matrimony" is used metaphorically to describe the dangerous union of these two attack vectors. The link provided likely leads to further information or resources on this topic. |
| 2023-12-05 2023 | A Bunch of Web and XSS Challenges intermediate 9 min read | Writeups detail several web application security challenges, including exploiting AngularJS in editable divs via copy-paste XSS and connection pools, bypassing Content-Type restrictions with UTF-16 and `multipart/mixed`, and achieving XSS through path manipulation and bypassing DOMPurify with crafted HTML. Techniques such as DOM clobbering and leveraging Chrome DevTools Protocol for headless mode downloads are also discussed, offering insights into overcoming common sanitization and browser security mechanisms. |
| 2023-12-01 2023 | Cookie Bugs - Smuggling & Injection intermediate 4 min read | Writeup on browser cookie encoding and web framework parsing, detailing browser behaviors like subdomain and superdomain cookie inheritance, __Host- and __Secure- prefixes, cookie ordering, and empty cookie names. It covers browser-specific issues like Chrome's `document.cookie` corruption and vulnerabilities like cookie smuggling and injection found in Java web servers (Jetty, Tomcat, Undertow) and Python frameworks (Zope, CherryPy, aiohttp, Bottle, Webob), including CVE-2023-26049 and GHSA-p26g-97m4-6q7c. |
| 2023-12-01 2023 | Bypass CSP Using WordPress By Abusing Same Origin Method Execution intermediate 5 min read | Technique bypasses Content Security Policy (CSP) by exploiting a WordPress JSONP endpoint to execute arbitrary JavaScript. This method, nominated for Top Web Hacking Techniques of 2023, leverages Same Origin Method Execution (SOME) to craft payloads that defeat CSP restrictions. It allows an attacker with HTML injection on a main domain to achieve full-blown XSS, and potentially RCE, if WordPress is hosted on a subdomain or directory, as demonstrated with Octagon.net. |
| 2023-11-02 2023 | JS-Tap: Weaponizing JavaScript for Red Teams intermediate 12 min read | Tool for weaponizing JavaScript for red teams, JS-Tap provides a generic payload that does not require prior application knowledge or authenticated access. It operates in Trap Mode for XSS payloads, using an iframe trap for persistence, or Implant Mode for direct injection into application JavaScript files. JS-Tap instruments the client side to collect data such as IP address, OS, browser, typed user inputs, visited URLs, cookies, local and session storage, HTML code, screenshots, and XHR/Fetch API call details, which are then monitored via a web-based portal. |
| 2023-10-05 2023 | Writeups for Damn Vulnerable Web Application (DVWA) beginner SQLi | Writeups for Damn Vulnerable Web Application (DVWA) https://ift.tt/b6djesM |
| 2023-10-05 2023 | 2023 Microsoft Office XSS intermediate 3 min read | Writeup detailing a Microsoft Office XSS vulnerability discovered in Word and Office 365. This vulnerability allows attackers to embed malicious JavaScript by crafting a video title, which is then rendered insecurely within an iframe when the video is played in a document. The exploit leverages the iframe's `onload` attribute, enabling arbitrary JavaScript execution, similar to past critical Office exploits like CVE-2021-40444 and CVE-2022-30190. |
| 2023-10-05 2023 | xss\ beginner | Writeup detailing Cross-Site Scripting (XSS) techniques and payloads, including examples like `onerror` attributes, iframe `srcdoc` exploitation, OAuth state parameter manipulation for XSS via `<script>`, and Base64 encoded JavaScript payloads. It showcases bypassing filters with various HTML tags and attributes, demonstrating an XSS to Local File Inclusion (LFI) payload targeting `/etc/passwd`, and references external resources for mass injection and Microsoft Office vulnerabilities. |
| 2023-10-03 2023 | XSS to Exfiltrate Data from PDFs intermediate | XSS to Exfiltrate Data from PDFs https://ift.tt/sGqiZz6 |
| 2023-10-03 2023 | Is XSS Attack via PDF Javascript Possible? intermediate | Analysis of PDF JavaScript execution in browsers, investigating its potential for XSS attacks. The entry addresses whether JavaScript embedded within PDF documents, like the example using `app.alert`, can access browser data such as cookies or perform redirects, and whether sandboxing mechanisms prevent such actions when PDFs are opened via a web browser. → stackoverflow.com |
| 2023-10-03 2023 | PDFBox - JavaScript in PDF Document beginner 2 min read | Library for programmatically embedding JavaScript actions into PDF documents using the Apache PDFBox framework. This technique involves loading an existing PDF, creating a `PDActionJavaScript` object with the desired script (e.g., an `app.alert` command), and setting it as the document's open action before saving and closing. |
| 2023-09-26 2023 | How Could a Self-XSS end with $$$$ intermediate | How Could a Self-XSS end with $$$$ https://ift.tt/681snfM |
| 2023-09-16 2023 | 8 XSS Vulnerabilities in Azure HDInsight Allow Attackers to Deliver Malicious Payloads news | 8 XSS Vulnerabilities in Azure HDInsight Allow Attackers to Deliver Malicious Payloads https://ift.tt/yam8fue |
| 2023-09-07 2023 | Identify Cross Site Scripting Vulnerabilities with these XSS Scanning Tools beginner 12 min read | Tools for detecting Cross-Site Scripting (XSS) vulnerabilities include Burp Suite, DalFox, Detectify, XSStrike, Wapiti, Pentest-Tools.com XSS Scanner, Intruder, Security for Everyone (S4E), ZAP, XSSer, Acunetix, and Invicti. These scanners analyze web applications by simulating attacks to find injection points for malicious scripts, helping to remediate issues like Reflected XSS, Stored XSS, and DOM-based XSS. |
| 2023-08-09 2023 | https://thexssrat.podia.com/full-house-bundle-all-of-our-current-and-future-courses-in-one?coupon=FRGDFG beginner | https://ift.tt/f9xe58a |
| 2023-08-01 2023 | XSS Payloads on Twitter beginner | https://twitter.com/xsspayloads/status/1685889094574874624?s=12&t=lhd09Kl740jrudlSO85fxA |
| 2023-06-08 2023 | XSS Unleashed: Bypassing Filters with XLink Namespace intermediate | XSS Unleashed: Bypassing Filters with XLink Namespace https://ift.tt/IuayGmr |
| 2023-04-02 2023 | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters beginner Bug Bounty | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters https://ift.tt/tFcafTi |
| 2023-04-02 2023 | How to Hack Web Browsers with BeEF Framework intermediate | How to Hack Web Browsers with BeEF Framework https://ift.tt/r8zkdW9 |
| 2023-03-17 2023 | Bypassing Character Limit - XSS Using Spanned Payload intermediate | The content discusses bypassing character limits in XSS attacks by using a spanned payload. It suggests a method to circumvent restrictions on the length of input in XSS attacks by utilizing a span element. This technique allows attackers to inject malicious code beyond the usual character limits imposed by security measures. By exploiting this vulnerability, hackers can potentially execute harmful scripts on vulnerable websites. |
| 2023-03-16 2023 | XSS-Payloads beginner | List of XSS payloads collected since 2015 from various sources, designed to bypass Web Application Firewalls (WAF) and identify XSS vulnerabilities. While older versions of `payloads.txt` are outdated, the project directs users to the PortSwigger XSS cheat sheet for current payloads and other valuable XSS resources. |
| 2023-01-30 2023 | The XSS hunter's secret weapon beginner 1 min read | Tool for detecting and reporting blind cross-site scripting (XSS) vulnerabilities. BXSSHUNTER generates markdown reports for platforms like HackerOne and Bugcrowd, hosts payloads remotely via *.bxss.in URLs for execution tracking, and offers instant notifications on Slack, Discord, and email. It also provides a public profile page to showcase XSS hunting skills. |
| 2023-01-30 2023 | Xss beginner | The content provided is a link to a website named "XSS Report." The website likely focuses on cross-site scripting (XSS) vulnerabilities, a common security issue in web applications. XSS allows attackers to inject malicious scripts into web pages viewed by other users. The website may offer information, resources, or tools related to identifying and mitigating XSS vulnerabilities to help website owners secure their platforms against such attacks. |
| 2022-09-14 2022 | DOM-based vulnerabilities | Web Security Academy beginner 4 min read | Reference for DOM-based vulnerabilities detailing taint flow from attacker-controllable sources like `location.search` and `document.referrer` to dangerous sinks such as `eval()` and `document.body.innerHTML`. It covers preventing these vulnerabilities through input validation, sanitization, and encoding, and mentions advanced techniques like DOM clobbering. Labs are available for practical exploitation. → portswigger.net |
| 2022-06-20 2022 | Favorite tweet by @Burp_Suite news Burp | Favorite tweet: Burp Suite 2022.6 released to the Early Adopter channel. Includes grouped tabs for Repeater, connection reuse for HTTP/1 requests, and new preset scan modes. Also introduces the abili... |
| 2022-06-20 2022 | Favorite tweet by @PortSwigger intermediate Burp | Favorite tweet: Finding Client-Side Prototype Pollution (CSPP) with DOM Invader by @garethheyes - now available on the Early Adopter channel https://t.co/ut1Buup1so — PortSwigger (@PortSwigger) Jun ... |
| 2022-05-11 2022 | Favorite tweet by @Nickieyey beginner Bug Bounty | Favorite tweet: Top XSS (Cross Site Scripting) Tools : 1) BeeF 2) BlueLotus_XSSReceiver 3) xssor2 4) Xsser-Varbaek 5) Xsser-Epsylon 6) Xenotix #pentesting #ethicalhacking #cybersecurity #CyberSec #we... |
| 2022-04-14 2022 | Favorite tweet by @e11i0t_4lders0n intermediate Bug Bounty Burp | Favorite tweet: Burp Extension for XSS Thread 🧵 #bugbounty #bugbountytip #bugbountytips — Tushar Verma 🇮🇳 (@e11i0t_4lders0n) Apr 14, 2022 |
| 2022-03-18 2022 | Favorite tweet by @NandanLohitaksh intermediate Recon | Favorite tweet: Mass Blind XSS 🔥👇 By @HackerGautam ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/UWTXcbtzMq | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|wo... |
| 2022-03-18 2022 | Favorite tweet by @HackerGautam intermediate Recon | Favorite tweet: Mass Blind XSS 🔥👇 ✅ One-Liner : hakrawler -plain -usewayback -wayback -url https://t.co/Tmo5ijSdeM | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|t... |
| 2022-02-08 2022 | Favorite tweet by @manicode beginner | Favorite tweet: OWASP has released an update to the XSS Prevention CheatSheet. This is one of our most popular CheatSheets and we are taking community consultation that the draft is ready for public ... |
| 2022-01-18 2022 | CSP Inline Scripts intermediate 1 min read | Reference detailing Content Security Policy (CSP) bypass techniques, specifically addressing inline script blocking. It explains how browsers reject inline scripts like `<script> doSomething(); </script>` and event handlers like `onclick="doSomething();"` when CSP is active. The document outlines methods to allow these, including using a single-use `nonce` value, pre-computed SHA256 `hash` values, the generally discouraged `unsafe-inline` source list, and the CSP Level 3 `unsafe-hashes` attribute for event handlers. |
| 2021-12-27 2021 | Cross-examination: unveiling JavaScript injection fingerprint masking attempts advanced 4 min read | Library for managing multiple online identities, this tool focuses on advanced browser fingerprinting and session management. It enables users to create unique browser profiles with customizable settings for timezone, geolocation, WebRTC, and hardware fingerprints like Canvas and WebGL. The library also supports proxy server configuration and session restoration, allowing for persistent logins across various websites within a single identity. |
| 2021-12-07 2021 | Hacker Tools: How to set up XSSHunter beginner 6 min read | Tool for detecting blind XSS vulnerabilities, XSSHunter allows users to host specialized XSS probes that scan pages and send vulnerability details via email upon triggering. The article details how to set up a self-hosted instance of XSSHunter Express using Docker, configuring DNS, and running the application, enabling granular control over collected data and enhanced notification reliability. A practical example demonstrates exploiting a vulnerable XSS lab with a generated payload and observing successful exploitation reports. |
| 2021-12-07 2021 | XSS Hunter is Now Open Source Heres How to Set It Up! beginner 4 min read | Library for self-hosting XSS Hunter, an open-source tool designed to detect blind XSS vulnerabilities. The setup process involves configuring DNS, installing dependencies like Nginx and PostgreSQL, cloning the source code from GitHub, and running the API and GUI servers within tmux sessions. Requirements include a server, a Mailgun account, a domain name, and a wildcard SSL certificate. |
| 2021-11-26 2021 | Find reflected XSS candidates in source code intermediate | Find reflected XSS candidates in source code |
| 2021-11-19 2021 | Tackling Cross Site Scripting with Smart Contracts intermediate 10 min read | Library addressing Cross-Site Scripting (XSS) attacks originating from smart contracts. It details how user-supplied strings, such as store names or product descriptions in a decentralized application (dApp), can be exploited to inject malicious HTML or JavaScript. The resource discusses both front-end UI validation and the more robust approach of implementing character validation directly within the smart contract itself to prevent DOM-based XSS and protect against direct RPC call exploits. It highlights the gas costs associated with on-chain validation using tools like `eth-gas-reporter`. |
| 2021-11-13 2021 | Web Attack Cheat Sheet beginner 61 min read API Sec Bug Bounty SQLi | Cheatsheet of web attack techniques and tools, covering manual and automated methods for discovering, enumerating, scanning, monitoring, and attacking web applications. It includes techniques like SSRF, XXE, SQLi, XSS, Path Traversal, SSTI, and information disclosure, alongside tools for ASN lookups, favicon analysis, CDN IP range identification, and subdomain enumeration. Resources mentioned include Project Discovery's Chaos, ASNlookup, CloudPeler, CloudFlair, cdncheck, CloudBunny, CF-Hero, ksubdomain, OWASP Amass, subfinder, and pius. |
| 2021-11-03 2021 | Finding and Fixing DOM-based XSS with Static Analysis Attack & Defense intermediate 7 min read | Library for detecting and preventing DOM-based XSS vulnerabilities in client-side JavaScript code. This static analysis tool, built as an eslint plugin called `eslint-plugin-no-unsanitized`, parses Abstract Syntax Trees (ASTs) to identify risky assignments to `innerHTML`, `outerHTML`, and calls to `insertAdjacentHTML()`, `document.write()`, and `document.writeln()`. It distinguishes between hardcoded safe strings and potentially attacker-controlled variables, and supports integration with sanitizers like DOMPurify to reduce false positives and improve security posture for Single Page Applications and Electron applications. |
| 2021-11-02 2021 | https://blog.isiraadithya.com/intigriti-1021-xss-challenge-solution-writeup/ intermediate 6 min read | Writeup of Intigriti XSS Challenge 1021, detailing a mutation XSS exploit. The challenge involved an iframe containing a PHP page that reflected user input from the `html` parameter. By carefully crafting HTML to manipulate the DOM structure and leverage how browsers auto-correct malformed HTML, the author bypassed the Content Security Policy (CSP) to inject JavaScript. The solution focused on injecting specific tags, including `<test id="intigriti">` and `<xss><te>`, to control the last four characters of the injected JavaScript's context, ultimately leading to an XSS vulnerability. |
| 2021-10-26 2021 | Content Security Policy (CSP) explained including common bypasses beginner 6 min read | Library for understanding Content Security Policy (CSP) headers, detailing their function in preventing XSS vulnerabilities by restricting resource sources. It explains key attributes like `self`, `unsafe-inline`, and `unsafe-eval`, and covers common bypass techniques such as callback manipulation, CDN file uploads, abusing existing libraries, and injection into the policy itself, referencing techniques found on Portswigger. |
| 2021-10-21 2021 | Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist. intermediate | Library for filtering untrusted HTML input to prevent XSS attacks. It controls tag and attribute usage based on a configurable whitelist, offering flexibility through extendable APIs. Installable via npm, it effectively sanitizes user-provided HTML in contexts like forums, blogs, and e-shops. |
| 2021-10-07 2021 | Is there a way to execute XSS in an HTML img tag with SVG? intermediate | Technique for XSS execution within an HTML `<img>` tag via SVG. SVG can embed CSS, which in turn can contain JavaScript. Methods include `expression(...)`, `url('javascript:...')`, and browser-specific features like Firefox's `-moz-binding`. This allows script execution in the host page's domain when user-controlled SVGs are rendered. Mitigation strategies involve Content-Security-Policy and serving SVGs in sandboxed, cross-domain iframes. |
| 2021-10-07 2021 | What content-type's execute javascript in the browser? beginner 1 min read | Reference discussing JavaScript execution based on `Content-Type` headers in browsers. It highlights that while `text/html` is the standard, some browsers (specifically IE) may execute JavaScript in other types like `application/form-data` or `text/xhtml+xml`. The entry also notes that browser behavior can be influenced by file extensions (`.htm`, `.html`), overriding MIME type expectations, particularly to handle malformed server configurations. → stackoverflow.com |
| 2021-10-04 2021 | 10 Types of Web Vulnerabilities that are Often Missed beginner 16 min read Bug Bounty IDOR SQLi SSRF | Library detailing HTTP/2 Smuggling via custom tools like `http2smugl`, XXE within Office Open XML parsers using crafted `.docx` or `.xlsx` files, and SSRF via XSS in PDF generators, often found in applications utilizing `wkhtmltopdf` or headless browsers for PDF creation. The library also covers XSS vulnerabilities within SVG file uploads, highlighting common but frequently missed attack vectors beyond the standard OWASP Top 10. → labs.detectify.com |
| 2021-08-30 2021 | Cross-Site WebSocket Hijacking (CSWSH) intermediate API Sec | Cross-Site WebSocket Hijacking (CSWSH) |
| 2021-08-21 2021 | Why u should use burp to test Path Traversal Vulnerability and also get RXSS intermediate Burp | Why u should use burp to test Path Traversal Vulnerability and also get RXSS |
| 2021-08-17 2021 | kleiton0x00/XSScope beginner 2 min read | Framework for advanced XSS and HTML Injection client-side attacks, XSScope enables XSS botnet operations, HTTP flood DDoS attacks, and automatic payload generation for bug hunting. It can hijack cameras, steal credentials, gather victim information, implement keyloggers, take screenshots, and track location. XSScope also facilitates phishing website generation for platforms like Amazon and Steam, website defacement, and DOM manipulation, including link and image changes, clickjacking, and JavaScript execution. |
| 2021-06-30 2021 | Introducing DOM Invader: DOM XSS just got a whole lot easier to find beginner 7 min read Burp | Tool for finding DOM-based XSS vulnerabilities, DOM Invader integrates with Burp Suite Professional and Community Edition. It features an "Augmented DOM" to visualize sources and sinks, simplifying the discovery of XSS flaws as if they were reflected. DOM Invader also aids in testing web-message vulnerabilities by intercepting and allowing manipulation of postMessage data, even spoofing origins and generating proof-of-concept code. → portswigger.net |
| 2021-06-11 2021 | An HTML Injection Worth 600$ Dollars beginner | A security researcher discovered an HTML injection vulnerability, earning a $600 bounty. This vulnerability allowed for the injection of HTML code into a web application, potentially leading to various malicious activities such as cross-site scripting (XSS) attacks or defacement. The discovery and subsequent reporting of this flaw highlight the importance of robust input validation and sanitization to prevent such security risks. |
| 2021-05-31 2021 | All about File upload XSS beginner | File upload XSS vulnerabilities allow attackers to inject malicious JavaScript code into files that are uploaded to a web application. This can lead to various security risks, including session hijacking, data theft, and website defacement. Attackers exploit this by uploading crafted files that, when processed or displayed by the application, execute the embedded script in the user's browser. Proper sanitization and validation of uploaded files are crucial to prevent these attacks. |
| 2021-05-06 2021 | XSS Through Parameter Pollution intermediate API Sec | This content details a cross-site scripting (XSS) vulnerability exploit achieved through parameter pollution. Attackers can leverage the manipulation of parameters within web requests to inject malicious scripts. This technique allows them to bypass certain security filters and execute XSS attacks, potentially leading to data theft or unauthorized actions within the victim's browser session. |
| 2021-05-05 2021 | the XSS Rat intermediate | The "XSS Rat" is a proof-of-concept exploit developed by security researcher "secur3b0t" that demonstrates a cross-site scripting (XSS) vulnerability. This type of vulnerability allows attackers to inject malicious scripts into websites, which can then be executed in the browsers of unsuspecting users. The exploit highlights how sensitive data could potentially be compromised. No bug bounty payout amount is mentioned in the provided content. |
| 2021-04-11 2021 | Digging Deep Into Dom XSS intermediate | The content provided is titled "Digging Deep Into Dom XSS" and only includes an introduction. The introduction likely sets the stage for discussing DOM-based Cross-Site Scripting (XSS) vulnerabilities. This type of vulnerability occurs when client-side scripts manipulate the Document Object Model (DOM) in an insecure way, allowing attackers to inject malicious scripts. The introduction may highlight the importance of understanding and mitigating DOM XSS vulnerabilities to protect web applications from exploitation. |
| 2021-04-07 2021 | The Ultimate Guide to Finding and Escalating XSS Bugs | @Bugcrowd beginner | The content discusses Cross-Site Scripting (XSS), a prevalent vulnerability in web applications where attackers execute JavaScript in users' browsers. XSS severity varies from informative to critical. It is a dynamic bug class with significant implications. → bugcrowd.com |
| 2021-03-07 2021 | GitHub - theinfosecguy/QuickXSS: Automating XSS using Bash intermediate Bug Bounty | Tool for automating XSS discovery, QuickXSS chains `waybackurls`, `gau`, `gf`, and `dalfox`. Installation is available via `pip` or `pipx`, with an optional `quickxss setup --install` command to auto-install dependencies. Users can initiate scans using `quickxss scan -d <domain>`, with options for blind XSS callbacks (`-b`) and custom output filenames (`-o`). The tool also supports Docker builds and integration tests via `pytest`. |
| 2021-02-16 2021 | RenwaX23/XSSTRON: Electron JS Browser To Find XSS Vulnerabilities Automatic intermediate 1 min read | Tool for automatically finding XSS vulnerabilities while browsing. This powerful Chromium browser detects numerous XSS scenarios, including those involving POST requests. Instructions for installation involve cloning the repository, running `npm install`, and then `npm start`. Workarounds are provided for potential issues on Debian/Ubuntu, such as manual Electron installation and sandbox disabling. |
| 2021-02-14 2021 | Stored XSS in icloud.com — $5000 news | The content does not provide any information related to a stored XSS vulnerability on icloud.com or the associated reward of $5000. It simply contains a casual greeting wishing well-being during difficult times. |
| 2021-01-24 2021 | How JavaScript works: 5 types of XSS attacks + tips on preventing them beginner | The content discusses five types of XSS (Cross-Site Scripting) attacks in JavaScript and provides tips on preventing them. It is part of a series exploring JavaScript and its components. The focus is on understanding the vulnerabilities that can be exploited through XSS attacks and offering preventive measures to enhance security. |
| 2020-06-15 2020 | $20000 Facebook DOM XSS : Vinoth Kumar intermediate | The content discusses a Facebook vulnerability related to DOM XSS, discovered by Vinoth Kumar, which could potentially lead to a $20,000 reward. It highlights the safe usage of the window.postMessage() method for cross-origin communication between Window objects. The post encourages further reading on postMessage and cross-domain communication through provided articles. |
| 2020-06-06 2020 | Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting beginner 7 min read | Library of JavaScript payloads and techniques for identifying and exploiting XSS vulnerabilities. This comprehensive cheat sheet details methods for Reflected XSS, Stored XSS, and DOM-Based XSS, including examples targeting various HTML elements, CSS properties, and encoding schemes like x-imap4-modified-utf7 and mac-farsi. It features payloads for `<img>`, `<svg>`, `<math>`, `<object>`, and `<style>` tags, demonstrating bypasses through attribute manipulation, character encoding, and specific browser behaviors. → gbhackers.com |
| 2020-04-06 2020 | Uber Bug Bounty: Turning Self-XSS into Good-XSS – Jack Whitton intermediate 4 min read | Writeup detailing a chained exploit on Uber's Partner portal, transforming a self-XSS vulnerability into a "good-XSS" by combining it with CSRF issues in the OAuth login and logout flows. This technique leverages Content Security Policy (CSP) to control redirects, enabling an attacker to log a victim out of their session, into the attacker's account where the XSS payload executes, and then back into their own account, ultimately granting access to the victim's data. |
| 2020-04-04 2020 | s0md3v/XSStrike: Most advanced XSS scanner. intermediate 2 min read | Library for advanced Cross Site Scripting (XSS) detection. XSStrike features custom parsers, an intelligent payload generator, a powerful fuzzing engine, and a fast crawler. It analyzes responses with multiple parsers to craft guaranteed-to-work payloads by context analysis integrated with its fuzzing engine, and also scans for DOM XSS vulnerabilities. It supports WAF detection and evasion, and leverages Photon, Zetanize, and Arjun. |
| 2020-02-14 2020 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate 4 min read Bug Bounty CSRF | Library of techniques and vulnerabilities impacted by `SameSite=Lax` cookie behavior, which defaults cross-origin requests to not include cookies. This change affects Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP Leaks, Data Exfiltration, XSLeaks, CORS Misconfigurations, Cross-Site WebSocket Hijacking, and XSS when exploiting cross-origin responses. While intended to mitigate CSRF, the `SameSite` default introduces significant challenges for these bug classes. |
| 2020-01-31 2020 | Cross-Site Script Inclusion - A Fameless but Widespread Web Vulnerability C beginner 8 min read | Writeup detailing Cross-Site Script Inclusion (XSSI), a widespread vulnerability often overlooked by standard security checklists. It explains how XSSI exploits the same-origin policy by allowing attackers to include resources cross-domain via script tags, thereby leaking sensitive data like cookies, session IDs, or personal information. The writeup covers identification techniques, exploitation methods for various scenarios including dynamic JavaScript and JSONP, and defensive strategies. It also introduces DetectDynamicJS, a Burp Suite plugin designed to assist testers in discovering these vulnerabilities by comparing script files with and without authentication cookies. |
| 2020-01-30 2020 | https://sametsahin.net/posts/steal-csrf-tokens-with-simple-xss/ intermediate 2 min read | Writeup details how a Cross-Site Scripting (XSS) vulnerability can be exploited to steal CSRF tokens, bypassing protections like HTTPOnly cookies. The technique involves crafting a malicious script that targets specific JavaScript variables holding sensitive session information, effectively demonstrating a common web application attack vector. |
| 2019-10-07 2019 | What is cross-site scripting (XSS) and how to prevent it? beginner 8 min read | Guide to cross-site scripting (XSS) vulnerabilities, detailing how attackers can compromise user interactions by injecting malicious JavaScript. It explains the mechanisms and impact of Reflected XSS, Stored XSS, and DOM-based XSS, and outlines methods for detection and prevention, including the use of Burp Suite and specific proof-of-concept payloads like `alert()` and `print()`. → portswigger.net |
| 2019-09-15 2019 | Cross-site scripting - Wikipedia beginner 15 min read | Library detailing Cross-site scripting (XSS) vulnerabilities, a common web application flaw where attackers inject client-side scripts into web pages. This allows bypassing security measures like the same-origin policy and can lead to session cookie theft and sensitive data access. The library covers non-persistent (reflected) and persistent (stored) XSS types, including examples like search engine injection and dating profile exploits, and touches upon DOM-based XSS. |
| 2019-09-11 2019 | XSS Hunter beginner | The content provided is simply the title "XSS Hunter." It appears to be a reference to a tool or concept related to Cross-Site Scripting (XSS) security testing. XSS Hunter is likely a tool used for detecting and testing XSS vulnerabilities in web applications. The tool may help security professionals identify and mitigate potential security risks related to XSS attacks. |
| 2019-09-11 2019 | The misunderstood X-XSS-Protection intermediate | The content appears to be about the X-XSS-Protection header, a security measure designed to prevent cross-site scripting attacks. It seems to suggest that this security feature may be misunderstood or underutilized. The header helps protect websites by blocking malicious scripts from being executed in the user's browser. It is important for web developers to properly configure and implement this security measure to enhance the security of their websites and protect users from potential vulnerabilities. |
| 2019-08-28 2019 | GitHub - hakluke/weaponised-XSS-payloads: XSS payloads designed to turn alert(1) into P1 intermediate 1 min read | Library of weaponized XSS payloads designed to elevate basic XSS vulnerabilities to critical impact, such as account takeover. These JavaScript files, loadable via script tags, perform sensitive functions within victim browsers on popular CMS platforms. The repository, inspired by techniques for upgrading XSS bugs from medium to critical, includes examples for direct inclusion or PHP hosting with the correct `Content-Type` header. |
| 2019-07-31 2019 | Cross Site Scripting (XSS) - Payload Generator | Nettitude Labs intermediate 4 min read | Tool for generating Cross-Site Scripting (XSS) payloads, designed to bypass output encoding and character blacklisting filters. It supports obfuscation techniques such as `eval()`, Base64, reverse strings, `String.fromCharCode()`, and hex codes. The generator also offers various injection types, including standard element attribute breakouts and specialized payloads like 0xsobky's XSS polyglot, assisting pentesters in more complex XSS scenarios and blind XSS testing. |
| 2019-05-19 2019 | XSSed my way to 1000$ | I'm Gaurav Narwani intermediate 3 min read | Writeup detailing a Synack bug bounty case study involving a reflected XSS filter bypass. The author walks through several attempts to exploit a parameter reflected within a script tag, overcoming filters for `<`, `"`, and `>` symbols. The successful payload utilized a newline character (`%0A`) and an `else` block to bypass the application's conditional logic, ultimately triggering an `alert('XSS')` and earning a $1000 bounty. |
| 2019-01-15 2019 | Excess XSS: A comprehensive tutorial on cross-site scripting beginner 21 min read | Tutorial on Cross-Site Scripting (XSS) vulnerabilities, explaining how attackers exploit websites to inject malicious JavaScript into user browsers. It details three types of XSS attacks: Persistent XSS, where malicious strings are stored in the database; Reflected XSS, where strings originate from user requests; and DOM-based XSS, with vulnerabilities in client-side code. The tutorial illustrates how attackers can steal cookies using `document.cookie`, record keystrokes with `addEventListener`, or trick users with fake login forms via DOM manipulation. |
| 2018-12-31 2018 | foospidy/payloads: Git All the Payloads! A collection of web attack payload intermediate 2 min read | Library for aggregating web attack payloads, including XSS vectors, SQL injection payloads, path traversal, and command injection. It consolidates resources from various sources like SecLists, fuzzdb, and specific CTF event logs, facilitating easier access to a wide array of attack techniques. The `get.sh` script can be used to download and decompress external payload files. |
| 2018-09-15 2018 | Into the Borg – SSRF inside Google production network | OpnSec intermediate SSRF | The content discusses a security researcher's findings of a Cross-Site Scripting (XSS) vulnerability in Google Caja, a tool for embedding code securely. The researcher reported the XSS in March 2018, and it was fixed by Google in May 2018. The article likely delves into the details of the vulnerability, its impact, and the process of reporting and fixing it within Google's production network. |
| 2018-08-14 2018 | Unleashing an Ultimate XSS Polyglot · 0xSobky/HackVault Wiki intermediate 2 min read | Polyglot is a technique for crafting cross-site scripting (XSS) payloads that execute across various injection contexts without modification. This resource details an ultimate XSS polyglot, demonstrating its effectiveness within double-quoted, single-quoted, and unquoted tag attributes, as well as within HTML comments, common HTML tags like `<svg>` and `<iframe>`, JavaScript strings, and event handlers. The polyglot utilizes clever syntax, including multi-line comments and URI schemes, to bypass common filter bypasses like `preg_replace('/\b(?:javascript:|on\w+=)/', '', PAYLOAD)`. |
| 2018-08-13 2018 | XSS Payloads beginner | The content provided is concise and simply states "XSS Payloads." This likely refers to a topic related to Cross-Site Scripting (XSS) attacks, where malicious code is injected into a website to exploit vulnerabilities. XSS payloads are the specific scripts or code used in these attacks. The summary suggests a focus on understanding and potentially mitigating XSS vulnerabilities by studying and being aware of common XSS payloads. |
| 2018-07-30 2018 | The Real Impact of Cross-Site Scripting | Dionach intermediate 7 min read | Library of techniques for weaponizing Cross-Site Scripting (XSS) vulnerabilities, demonstrating practical attack vectors. This library details how XSS can lead to account hijacking via session cookie theft, credential harvesting by serving fake login pages, and sensitive data exfiltration or unauthorized operations like fund transfers. It also covers drive-by downloads using frameworks like BeEF and OWASP Xenotix, keylogger implementation, and port scanning against internal networks, all leveraging XSS flaws in applications like OWASP Broken Web Applications' Cyclone. |
| 2018-07-30 2018 | Cross site scripting XSS beginner | Cross-Site Scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive data, session hijacking, or defacement of websites. XSS attacks can be stored, reflected, or DOM-based. Prevention methods include input validation, output encoding, and implementing Content Security Policy (CSP). Regular security audits and staying updated on security best practices are crucial to protect against XSS attacks. → slideshare.net |
| 2018-07-30 2018 | Cross Site Scripting ( XSS) beginner 6 min read | Talk on Cross-Site Scripting (XSS) vulnerabilities, detailing how attackers inject client-side code to steal cookies, access private information, or perform actions on behalf of users. It categorizes XSS into non-persistent, persistent, and DOM-based attacks and emphasizes server-side validation, sanitization, and output escaping as primary prevention methods. The talk also mentions web vulnerability scanners like Burp Suite for testing XSS flaws. → slideshare.net |
| 2018-07-15 2018 | [HTML] 666 lines of XSS vectors, suitable for attacking an API - Pastebin.c intermediate 11 min read | Library containing 666 XSS vectors, including many variations using encoded characters and different HTML elements like `<script>`, `<img>`, `<audio>`, `<video>`, `<body>`, `<svg>`, `<iframe>`, and others with various event handlers. The vectors target common injection points and bypass techniques suitable for testing API and web application security. |
| 2018-07-03 2018 | Reflected Client XSS at Amazon.com intermediate | A bug at Amazon.com enables the theft of cookies from all Amazon domains, potentially redirecting visitors to a phishing login page. This reflected client XSS vulnerability poses a serious security risk by allowing unauthorized access to user data. |
| 2018-06-27 2018 | Reflected XSS on Stack Overflow intermediate | The content discusses a Reflected XSS vulnerability discovered on Stack Overflow by @newp_th. This type of vulnerability occurs when user input is not properly sanitized and allows malicious scripts to be executed in a victim's browser. It is important for websites to implement proper input validation and output encoding to prevent such attacks. |
| 2018-06-26 2018 | How to identify whether XSS is reflected or DOM based? intermediate | The content provided is a title mentioning how to distinguish between reflected XSS and DOM-based XSS. It appears to be a Reddit post with 5 votes and 4 comments, but the actual details or methods for identifying the two types of XSS attacks are not included in the summary. |
| 2018-06-26 2018 | DOM XSS Intro beginner | The post titled "DOM XSS Intro" on Reddit has received 7 votes and 1 comment. It likely introduces readers to the concept of DOM-based Cross-Site Scripting (XSS), a type of security vulnerability. The post may provide information or discussion on how this vulnerability can be exploited in web applications. |
| 2018-06-26 2018 | Reflected XSS via AngularJS Template Injection | Hostinger intermediate | The content is about a potential security vulnerability called Reflected XSS via AngularJS Template Injection. It seems to be a post on Reddit with 5 votes and 2 comments. The main focus is likely on discussing the risks and implications of this type of security issue within AngularJS applications. |
| 2018-06-26 2018 | How I Found Stored XSS in Yahoo! intermediate | The content titled "How I Found Stored XSS in Yahoo!" has garnered 17 votes and 4 comments on Reddit. |
| 2018-06-26 2018 | What is XSS? Cross-site Scripting Explained beginner | The content is a Reddit post titled "What is XSS? Cross-site Scripting Explained" with 5 votes and 0 comments. It likely discusses the concept of Cross-site Scripting (XSS), a type of security vulnerability where attackers inject malicious scripts into web pages viewed by other users. The post may explain how XSS works, its impact on web security, and ways to prevent it. |
| 2018-06-26 2018 | Self-XSS + CSRF to Stored XSS intermediate CSRF | Renwa from Kurdistan is excited to share their first write-up on infosec and Bugbounties. |
| 2018-06-26 2018 | The story behined the Strong XSS filter bypass! intermediate | The content provided is a title mentioning a strong XSS filter bypass. However, the content is incomplete as it only includes a greeting "Hi All" without any further information or details about the bypass. |
| 2018-06-26 2018 | Demonstrating Reflected versus DOM Based XSS intermediate 7 min read | Tool demonstrating DOM-based XSS using OWASP Juice Shop, contrasting its exploitation with reflected XSS in Altoro Mutual. The resource provides a malicious server for proof-of-concept cookie theft and password recovery via JWT decoding and MD5 hashing. It highlights how DOM-based XSS bypasses browser and proxy protections, making it a more potent threat than reflected XSS for practical demonstrations. |
| 2018-06-15 2018 | How i converted SSRF TO XSS in jira. intermediate SSRF | The content discusses the author's interest in Bug Bounty programs, particularly focusing on finding security vulnerabilities like Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) in Jira. The author highlights their dedication to discovering new and intriguing vulnerabilities, continuously improving their reconnaissance skills. The main focus is on converting an SSRF vulnerability into an XSS vulnerability within the Jira platform. |
| 2018-06-14 2018 | Respect XSS beginner 4 min read | Writeup detailing a cross-site scripting (XSS) vulnerability in Microsoft SharePoint, affecting both on-premises and online versions. The flaw leverages the "Follow Site" feature, where the `SiteName` GET parameter is reflected in JavaScript without proper encoding, allowing for payloads like `-confirm(document.domain)-`. This vulnerability was reported to Microsoft and resulted in a $2500 bounty. The writeup includes examples of vulnerable URLs and suggests Google dorking for identification. |
| 2018-06-13 2018 | How I found a stored XSS on thousands of webshops intermediate | The content discusses the discovery of a stored XSS vulnerability affecting thousands of webshops, which remains unresolved. |
| 2018-06-08 2018 | XSS using meta Tags intermediate | The content mentions an invitation to join a social platform that allows users to earn money by engaging with posts. |
| 2018-06-08 2018 | DEV XSS Protection bypass made my quickest bounty ever!! intermediate | Yeasir Arafat shares about a successful XSS attack that led to his quickest bounty ever. He highlights the importance of sharing knowledge and experiences in the cybersecurity community. |
| 2018-06-07 2018 | Paulos Yibelo - Blog: THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS intermediate 5 min read | Writeup exploring advanced XSS techniques beyond cookie theft, demonstrating how to maintain access and achieve lateral movement. It details exploiting application features like OAuth integrations and the Facebook Graph API Explorer to gain persistent, high-privilege access, even against targets with strong security mitigations like HTTPOnly cookies and CSP. The article highlights common web application misconfigurations that empower client-side attacks, including issues with password resets, session fixation, and service workers, and discusses how blind XSS can lead to RCE. |
| 2018-06-06 2018 | UltimateHackers/XSStrike: XSS Scanner equipped with powerful fuzzing engine intermediate 2 min read | Library for detecting Cross Site Scripting (XSS) vulnerabilities. XSStrike features four parsers, an intelligent payload generator, a powerful fuzzing engine, and a fast crawler. It analyzes responses and crafts payloads based on context analysis and fuzzing, going beyond simple injection. Capabilities include reflected and DOM XSS scanning, WAF detection and evasion, and scanning for outdated JavaScript libraries. It integrates with tools like Photon, Zetanize, and Arjun. |
| 2018-06-05 2018 | Blind XSS for beginners beginner | The content discusses Blind XSS for beginners, addressing common questions like tool recommendations, registering in XSShunter, and techniques for exploitation. It highlights the interest in Blind XSS and the need for guidance on tools and procedures. |
| 2018-05-28 2018 | Blind XSS for beginners beginner | The content discusses Blind XSS for beginners, addressing common questions about tools, registration on XSShunter, and techniques like payload spraying. It highlights the interest and inquiries received via Twitter on these topics. |
| 2018-05-26 2018 | https://medium.com/bugbountywriteup/file-upload-xss-patched-83ea55bb9a55?source=userActivityShare-90814179aa21-1527302452 intermediate | The content discusses a bug bounty write-up detailing a file upload XSS vulnerability that was successfully patched. The author describes the discovery of the vulnerability, the impact it could have had, and the steps taken to responsibly disclose it to the affected party. The post highlights the importance of thorough security testing and responsible disclosure in the bug bounty community. |
| 2018-05-19 2018 | 900$ XSS in yahoo ( Recon Wins ) news | The content provided is too brief to summarize as it only includes a greeting without any additional information or context. |
| 2018-05-17 2018 | 7500$ worth DOM XSS in Facebook Mobile Site – Johns Simon – Medium intermediate | The content discusses a security researcher discovering a $7500 worth DOM-based Cross-Site Scripting (XSS) vulnerability in Facebook's mobile site while targeting Adobe's website for vulnerabilities. The researcher found that Adobe was using Facebook and Gmail logins for sign-ins, leading to the discovery of the XSS flaw. This vulnerability could potentially allow attackers to execute malicious scripts on the site. |
| 2018-05-07 2018 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP beginner 18 min read | Reference for preventing XSS vulnerabilities, this cheat sheet details crucial defense techniques including output encoding and HTML sanitization. It addresses specific framework gaps in React, Angular, and others, emphasizing the importance of understanding framework behaviors and potential escape hatches like `dangerouslySetInnerHTML` and `bypassSecurityTrustAs*`. The document covers context-specific encoding for HTML, HTML attributes, JavaScript (using `\xHH` format), CSS (within property values), and URLs (using `%HH` format), recommending safe sinks like `.textContent`, `.setAttribute`, and `style.property = x` when applicable. → owasp.org |
| 2018-04-30 2018 | Steal CSRF/Auth/Unique key Header with XSS intermediate CSRF | The content is about stealing CSRF, authentication, or unique key headers using Cross-Site Scripting (XSS) attacks. It suggests a method to exploit vulnerabilities in web applications by injecting malicious scripts to intercept sensitive information. This technique allows attackers to bypass security measures and gain unauthorized access to user data or perform malicious actions. It highlights the importance of protecting against XSS attacks to safeguard sensitive information and prevent unauthorized access to web applications. |
| 2017-12-12 2017 | How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords « Null intermediate 8 min read | Library for creating XSS cookie stealers in JavaScript. This guide details constructing a script that injects JavaScript into a webpage to capture user cookies containing credentials. It demonstrates embedding JavaScript within HTML and using PHP on a controlled server to receive and log stolen cookie data, with a PHP test server setup for local verification. → null-byte.wonderhowto.com |
| 2017-12-02 2017 | Sniping Insecure Cookies with XSS intermediate 10 min read | Writeup details how insecure cookie flags (missing `HttpOnly` and `Secure`) coupled with a Cross-Site Scripting (XSS) vulnerability on an accounting web application allowed for the theft of JWT session tokens. The analysis demonstrates that once captured via JavaScript, these tokens, sent in custom `X-AUTH-TOKEN` headers, could be used to impersonate users, including administrators, due to the JWT's structure and the lack of a server-side token invalidation mechanism. |
| 2017-12-02 2017 | bypassing htmlentities() - Paulos Yibelo - Blog intermediate | The content provided is a title mentioning bypassing htmlentities() by Paulos Yibelo on a blog. The title suggests that the blog post likely discusses a method or technique related to bypassing the htmlentities() function. It hints at a potential security or coding topic where the author may be sharing insights on how to circumvent or work around the htmlentities() function in web development or programming. |
| 2017-06-20 2017 | XSSer automated framework to detect, exploit and report XSS vulnerabilities beginner 1 min read | Framework for detecting, exploiting, and reporting XSS vulnerabilities in web applications. XSSer automates injections using GET and POST methods, supports various filters and bypass techniques, and offers both command-line and GUI interfaces. It can leverage TOR proxies and provides detailed attack statistics. Key features include injection with automatic payloads, reverse connection checks, heuristic parameter filtering, and DOM shadow injection. → gbhackers.com |
| 2017-04-08 2017 | XSSight - Automated XSS Scanner And Payload Injector - GBHackers On Securit beginner 1 min read | Library for automated Cross-Site Scripting (XSS) scanning and payload injection, XSSight, assists in detecting vulnerabilities like Reflected XSS, Stored XSS, and DOM-Based XSS. The tool injects common XSS characters and analyzes website source code to identify weaknesses. It also allows for payload testing to confirm exploitability and suggests defenses such as input validation and context-aware encoding. → gbhackers.com |
| 2017-03-31 2017 | HTML5 Security Cheatsheet beginner | The content provided is a title mentioning an "HTML5 Security Cheatsheet." It suggests that there may be a resource or guide available that focuses on security considerations specific to HTML5. The title implies that the cheatsheet may contain essential information, tips, or best practices related to securing HTML5 applications or websites. |
| 2017-03-07 2017 | How I Stole Plunker Session Tokens With Angular Expressions intermediate 7 min read | Writeup detailing an Angular Expression Injection vulnerability in Plunker, where user input in the description field was evaluated by AngularJS. This allowed attackers to craft malicious expressions that could steal session IDs by redirecting requests to a custom endpoint containing the ID. The vulnerability was exploited by manipulating the `session.activeBuffer.content` to embed an `<img>` tag with the session ID as a URL parameter, effectively exfiltrating the token. Plunker fixed the issue by adding the `ng-non-bindable` directive to prevent expression evaluation. |
| 2017-03-07 2017 | XSS without HTML: Client-Side Template Injection with AngularJS : netsec intermediate | The Reddit post titled "XSS without HTML: Client-Side Template Injection with AngularJS" in the netsec subreddit has garnered 177 votes and 10 comments. The post likely discusses a security vulnerability related to AngularJS that allows for client-side template injection without the use of HTML, potentially leading to cross-site scripting (XSS) attacks. The content appears to be focused on raising awareness about this security issue within the AngularJS framework. |
| 2017-03-07 2017 | Angular Template Injection Payloads intermediate | Library of Angular template injection payloads, including techniques for exploiting versions 1.3.0 through 1.6.0. This resource details payloads utilizing JavaScript and SVG for code execution, such as `{{constructor.constructor('alert(1)')()}}`, `{{7*7}}`, and SVG `<animate>` tags with `javascript:alert(1)`. It also references specific Angular issues like #14939 and #11290. |
| 2017-03-07 2017 | PortSwigger Web Security Blog: Adapting AngularJS Payloads to Exploit Real intermediate 3 min read | Writeup detailing techniques for adapting AngularJS template injection payloads to bypass filtering and encoding, specifically targeting Piwik and Uber. The article demonstrates exploiting Piwik's handling of referral queries and Uber's documentation site, showcasing payload adaptations using Unicode escapes, `concat` instead of `valueOf`, string manipulation via `toString` and array joins, and exploiting JavaScript sandbox limitations. It highlights successful exploitation against AngularJS versions 1.2.26 and 1.2.0, noting rapid patching by Uber. |
| 2017-03-07 2017 | PortSwigger Web Security Blog: XSS without HTML: Client-Side Template Injec intermediate 11 min read | Library for detecting and exploiting Angular Template Injection vulnerabilities in AngularJS applications. It details how naive usage of the popular JavaScript framework can lead to Cross-Site Scripting (XSS) by enabling the execution of Angular expressions. The library covers the development of a sandbox escape technique, specifically for Angular versions 1.3.1+ and 1.4.0+, by backdooring the `String.fromCharCode` function using `Array.prototype.join` to inject arbitrary JavaScript, including a demonstration of bypassing the Angular sanitizer. |
| 2017-03-07 2017 | ng-owasp: OWASP Top 10 for AngularJS Applications intermediate | The content discusses the OWASP Top 10, a list of critical web application security risks, and how they apply to AngularJS applications. It explores security vulnerabilities specific to AngularJS, aiming to address and mitigate these risks. The focus is on understanding and implementing security measures to protect AngularJS applications from potential threats outlined in the OWASP Top 10 list. → slideshare.net |
| 2016-05-19 2016 | What is Cross-site Scripting and How Can You Fix it? beginner 9 min read | Library summarizing Cross-Site Scripting (XSS) vulnerabilities, detailing common attack vectors like stored, reflected, and DOM-based XSS. It explains how unsanitized user input leads to JavaScript injection, enabling attackers to steal session cookies, deface websites, and perform actions like phishing and identity theft through techniques like payload injection via script tags and redirecting users to malicious URLs. → acunetix.com |
| 2016-02-10 2016 | Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML - C intermediate | The blog discusses preventing XSS (Cross Site Security) attacks in ASP.NET MVC by utilizing ValidateInput and AllowHTML features. It aims to provide insights on how to enhance security measures to mitigate XSS vulnerabilities in ASP.NET MVC applications. |
Frequently Asked Questions
- What are the three types of XSS?
- The three main types are Reflected XSS (payload delivered via a URL and immediately reflected in the response), Stored XSS (payload persisted in the application database and served to other users), and DOM-based XSS (payload executed entirely in the browser via client-side JavaScript without a server round-trip).
- How do you prevent cross-site scripting?
- Key defenses include output encoding (HTML, JavaScript, URL, and CSS contexts), Content Security Policy (CSP) headers, using frameworks that auto-escape by default (React, Angular), input validation, and the HttpOnly flag on session cookies to limit the impact of successful attacks.
- Why is XSS still so common?
- XSS persists because web applications have many injection points (URL parameters, form fields, headers, file uploads), developers must encode output correctly for every context, and modern JavaScript frameworks can be bypassed through dangerouslySetInnerHTML, template injection, or prototype pollution.
Weekly AppSec Digest
Get new resources delivered every Monday.