A clickjacking vulnerability in Facebook's AJAX endpoint (/ajax/home/generic.php) allowed attackers to iframe a resource lacking X-Frame-Options headers and submit forms to trick victims into adding the attacker to secret groups or performing other unwanted actions on Facebook resources.

A bug bounty researcher discovered LDAP injection vulnerability in a registration form while attempting blind XSS exploitation. The server was passing unsanitized user input directly to LDAP directory operations, revealed through error messages about invalid directory pathnames.

A CSRF vulnerability in Microsoft's Service Trust Portal allowed unauthorized addition of user roles due to missing CSRF token validation on the AddUserRole endpoint. The researcher successfully exploited this to add users with arbitrary roles and received a $500 bounty.

A security researcher exploited missing X-FRAME-OPTIONS headers on API endpoints that exposed sensitive user data (credit card, email, address) by creating a clickjacking attack that tricked users into copying and pasting API responses via an invisible iframe, earning $1800 in bug bounty rewards.

A CSRF bypass technique that chains cross-frame scripting with CSRF by exploiting a server behavior where removing the CSRF token from a request causes the server to echo back form values with a new valid token, which can then be submitted via clickjacking to execute unauthorized actions.

A DOM-based XSS vulnerability in a Cloudflare-protected login page where a reflected error message parameter is directly inserted into JavaScript without filtering, allowing attackers to bypass the WAF by breaking out of a JavaScript alert() function context and executing arbitrary code.

A researcher discovered a reflected XSS vulnerability in a dynamically generated JavaScript file endpoint that accepted unsanitized user input via a 'cb' parameter, allowing arbitrary JavaScript execution through JSONP-style callback injection combined with missing X-Content-Type-Sniffing headers.

CVE-2017-10711 is a reflected XSS vulnerability in SimpleRisk's password reset form where the 'user' parameter is echoed directly without sanitization, allowing attackers to execute arbitrary JavaScript and potentially hijack user sessions through POST-based CSRF attacks.

A researcher demonstrated escalating a Self-XSS vulnerability to a functional XSS attack against other users by combining it with a missing X-Frame-Options header, enabling clickjacking to trick users into executing the malicious payload.

A reflected XSS vulnerability was discovered in Google Code Jam's scoreboard that executes in toast messages, exploitable via URL parameter injection. The vulnerability could be leveraged to hijack victim accounts and modify profile information, though CSP mitigations limited exploitation to legacy browsers like IE.

A reflected XSS vulnerability was discovered in Microsoft Dynamics 365 where the "Personal Document Template: Information" page failed to properly encode user First Name and Last Name fields, allowing attackers to inject JavaScript payloads via the Application User profile. The vulnerability was patched by Microsoft on October 18, 2018.

A reflected XSS vulnerability discovered in AMP iframe redirect endpoints across multiple companies (Shopify, Canva, Yelp, Western Union, Cuvva) by bypassing Content Security Policy using JavaScript injection via the redirect_strategy parameter.

Authenticated XSS vulnerability in Ghost CMS API endpoint /ghost/api/v0.1/settings/ via PUT requests affecting logo, cover_image, ghost_head, and ghost_foot parameters. While requiring admin/owner privileges and limited by CORS/SOP in real-world scenarios, the vulnerability persists across multiple versions and was a rediscovery of a previously reported issue.

A reflected XSS vulnerability was discovered in Zomato's OAuth2 authentication flow via the secretx.zomato.com subdomain, where an unsanitized parameter reflected attacker input. The vulnerability was exploited using a <marquee> tag payload combined with Unicode encoding (co\u006efirm) to bypass WAF filtering on JavaScript functions, ultimately earning a $250 bounty.

Facebook's badges profile page was vulnerable to stored XSS on the layout parameter, which was unsanitized and saved directly to the database before being rendered in HTML class attributes. Although impact was limited by CSRF token protection and low user exposure, the vulnerability could force authenticated actions or extract private data.

Bug bounty researcher found two reflected XSS vulnerabilities on PornHub Premium within 20 minutes: one in a redeem code parameter that bypassed validation using a 'PAYLOAD STACK' prefix trick, and another in the compliancePop URL parameter that only appeared to new users. Both were quickly triaged and patched.

Researcher bypassed Imgur's XSS protection on the album description feature by nesting script tags within event handler attributes (e.g., `<svg/on<script>load=prompt(document.domain)>`) to evade tag-stripping filters, allowing stored XSS execution.

Three XSS vulnerabilities discovered in ProtonMail's iOS app affecting different origins (applewebdata, data, and javascript URIs) with various payloads including SVG onload handlers and embedded base64-encoded HTML, enabling JavaScript execution and potential phishing attacks through email messages.

Reflected XSS vulnerability discovered in Google's Apigee password reset endpoint where user-supplied token parameter was not properly sanitized, allowing attackers to inject malicious scripts to steal user session cookies.

A stored XSS vulnerability was discovered on Edmodo's library feature where folder names were not properly sanitized on a specific endpoint, allowing an attacker to inject malicious JavaScript payloads that execute when the folder URL is accessed.

A researcher escalated a P5 email verification race condition vulnerability to a P2 blind XSS by chaining it with a profile display feature that revealed unverified emails to administrators, ultimately achieving session hijacking and a $1000+ bounty.

A stored XSS vulnerability was discovered in Zendesk's macro feature by exploiting the macro description field, coupled with a WAF bypass technique that involves submitting benign content initially and injecting the payload during subsequent edits when WAF validation is less stringent.

A researcher discovered a Self XSS vulnerability in a group creation dialog box that could be escalated to a stored XSS affecting other users by combining it with a CSRF attack against an unprotected group creation endpoint, allowing arbitrary XSS execution when a victim visited a malicious link.

A researcher exploited a blind XSS vulnerability in a backend portal by iteratively bypassing WAF filters through payload modification, ultimately achieving code execution and cookie exfiltration using an img tag with onload handler that extracts document.cookie to a logging endpoint.

XSS vulnerability in Avast/AVG antivirus firewall notification feature that reflects unsanitized SSID names, allowing attackers to execute arbitrary JavaScript via crafted wireless network SSIDs. The vulnerability affects Avast Internet Security v19.3.2369+ and AVG Internet Security v19.3.3084+ on Windows, and was rewarded with a $5,000 bounty.

Three case studies of reflected XSS vulnerabilities discovered on Synack: (1) XSS via javascript: protocol in a referrer parameter, (2) XSS via improper output encoding in account details form fields, and (3) XSS via unfiltered email parameter in password recovery page. Each demonstrates different exploitation vectors and input validation bypasses.

Researcher discovered multiple stored and blind XSS vulnerabilities in Skype subdomains via unsanitized group names, enabling account takeover and credential theft across manager.skype.com and secure.skype.com through group invitation mechanics.

A researcher discovered a bug chain combining Self Stored XSS with IDOR to achieve arbitrary XSS execution: by injecting XSS payloads into supplier names via IDOR on other users' requests (using predictable incremental IDs), the payload executes when target users delete the malicious supplier entry.

A researcher discovered how to escalate a self-XSS vulnerability in a wallet transfer function into a reflected XSS by encoding the payload as a QR code, bypassing the plaintext visibility constraint and enabling exploitation of other users.

A DOM XSS vulnerability exploiting unsafe use of location.pathname in AJAX requests, where an attacker can inject a protocol-relative URL (//attacker.com) to redirect the AJAX call to a malicious domain and inject arbitrary JavaScript into the page.