A researcher discovered a reflected XSS vulnerability in a login redirect parameter that could steal user credentials by injecting malicious JavaScript to extract email and password field values. The attack chain involved chaining an open-redirect vulnerability with XSS to trick victims into executing credential-stealing payloads.
A stored XSS vulnerability was discovered on Edmodo's library feature where folder names were not properly sanitized, allowing an attacker to inject malicious JavaScript payloads that execute when the folder is accessed.
Reflected XSS vulnerability found in eBay's search parameter (LH_SpecificSeller) in 2013 that bypassed character filtering by using CSS expression payloads within a hidden span, exploitable only in Internet Explorer due to CSS expression support.
A stored XSS vulnerability was discovered on Microsoft's TechProfile platform where unsanitized user input in profile fields could execute arbitrary JavaScript in victims' browsers, potentially leading to account takeover and privilege escalation. The vulnerability was reported on April 28, 2019 and patched by May 8, 2019.
Researcher discovered multiple stored and blind XSS vulnerabilities in Skype's management interface (manager.skype.com and secure.skype.com) via unsanitized group_name parameters. By making users group admins or sending malicious invite links, attackers could execute JavaScript to steal cookies, device information, and IP addresses, leading to potential account takeover.
A researcher escalated a self-XSS vulnerability into a reflected XSS by encoding a payload within a QR code that users could scan during a wallet transfer function, bypassing the need for manual input and triggering automatic payload execution.
A stored XSS vulnerability was discovered in Zendesk's macro description field that could be exploited by bypassing the WAF by entering a benign value initially, then editing the field to insert the malicious payload after creation. The vulnerability was confirmed with an image onerror payload that triggered on the homepage.
First-time bug bounty hunter discovered XSS vulnerability on a Sony sandbox subdomain (authtry.dev2.sandbox.dev.ppf.sony.net) through subdomain enumeration using crt.sh, assetfinder, and httprobe, then exploited parameter injection on the target's index.php with a classic XSS payload.
Security researcher discovered an XSS vulnerability on Twitter's dev subdomain by chaining a 302 redirect parsing inconsistency with URL fuzzing to inject javascript:alert() payloads via href attributes, earning a $1120 bounty. The exploit bypassed Twitter's previous fixes by abusing differences in how location headers and HTML link parsing handle malformed URLs with port numbers and special characters.
A bug bounty hunter reports bypassing XSS protection on a HackerOne private program, but the actual article content is inaccessible (only Google cache metadata visible).
A researcher discovered a self-XSS vulnerability in a form field that was escalated to a working XSS attack against other users by exploiting the absence of X-Frame-Options/clickjacking protection, allowing payload injection via SVG onload handlers combined with a clickjacking POC.
A researcher converted a self-XSS vulnerability into a stored/persistent XSS by chaining it with a CSRF vulnerability that allowed creating groups on behalf of other users, triggering the payload in a dialog box that lacked proper encoding.
Researcher discovered a second stored XSS vulnerability on Edmodo by posting XSS payloads to poll functionality, which executed when accessing notifications on a different domain variant. The vulnerability was reported and rewarded within a week.
Demonstrates bypassing uppercase character filters on XSS vulnerabilities using JsFuck obfuscation techniques to construct a fully functional payload that loads external JavaScript and escalates from Low to Critical severity on HackerOne.
A researcher discovered a stored XSS vulnerability in a web application's internal notification system by injecting HTML/SVG payloads into company names during user invitation functionality, which were then reflected without sanitization when users viewed invitation notifications.
Detectify researchers discovered a DOM-based XSS vulnerability on Tesla's forums (forums.tesla.com) in the CKEditor HTML insertion feature that bypassed the filter by crafting a malicious img tag payload with an onerror handler. The self-XSS, responsibly disclosed and fixed, allowed injection of arbitrary JavaScript to redirect the page to a hosted DOOM game.
A DOM XSS vulnerability in an AJAX request where location.pathname is used unsanitized to construct a URL, allowing attackers to redirect requests to their own server and inject malicious content via protocol-relative URL manipulation (//attacker.com).
A stored XSS vulnerability in EspoCRM 5.6.8's email signature feature allowed attackers to steal authentication cookies via a polyglot XSS payload, enabling complete account takeover of any user including administrators. The vulnerability exploited inadequate input sanitization in the markdown code-view feature and lack of HttpOnly flags on session cookies.
A bug bounty writeup covering three reflected XSS vulnerabilities discovered on a Synack program: one via JavaScript protocol in a referrer header parameter, one via password-check parameter bypass in account details modification, and one via insufficient input filtering in an email recovery parameter.
Researcher discovered a reflected XSS vulnerability in Bugcrowd's main domain via an unvalidated 'locale' parameter that was ultimately traced to Locomotive CMS framework, affecting multiple websites using that CMS. The vulnerability allowed attackers to steal user data and perform CSRF actions from the main domain, earning a $600 bounty.
Brief blog post about finding and reporting an XSS vulnerability on Oracle's education subdomain (education.oracle.com) that was eventually patched and acknowledged. No technical details about the vulnerability, exploitation, or root cause are provided.