SSRF vulnerability in a PDF generator where HTML filters on the web app were bypassed by inserting payloads via mobile app and using forward-slash character encoding in iframe tags to access internal resources like error logs (elmah.axd).
A stored XSS vulnerability in InternShala.com exploited through a JSON endpoint with incorrect text/html content-type header. The attacker bypassed multiple filters (whitespace, forward slashes, alert/prompt functions, parentheses, angle brackets) using character substitution and URL encoding to inject a working XSS payload via the current_city_administrative_area_level_2 parameter.
Demonstrates a practical XSS defacement technique using HTML injection and character encoding obfuscation via String.fromCharCode() to bypass simple filters and inject full-page HTML replacements.
A detailed writeup demonstrating how to bypass uppercase character filtering in JavaScript-based XSS vulnerabilities using JSFuck-style obfuscation to construct payloads without forbidden characters, escalating from PoC alert(1) to arbitrary code execution via dynamic script loading.