Advanced CORS exploitation techniques demonstrating two real-world cases: chaining XSS vulnerabilities with CORS misconfigurations to leak sensitive data, and bypassing CORS origin validation using special characters in domain names (particularly in Safari) to exploit wildcard subdomain whitelisting. The second technique leverages browser inconsistencies in domain validation to craft malicious origins like 'zzzz.ubnt.com=.evil.com' that pass CORS checks while resolving to attacker-controlled domains.
Reflected XSS vulnerability in Google Code Jam's scoreboard page that fires in toast messages, exploitable in browsers without CSP support (e.g., IE), allowing attackers to hijack victim accounts and modify profile information through DOM manipulation.