A detailed technical writeup on chaining eight XSS vulnerabilities at Airbnb by sequentially bypassing JSON encoding, XSS filters, WAF protection using null-byte injection, CSP rules, and Chrome's XSS auditor through the listing_frame embeddable endpoint. The exploitation leverages semicolon injection, null-byte WAF evasion, JSON encoder quirks, and CSP weaknesses.
A writeup on discovering and exploiting an XSS vulnerability on Twitter by bypassing the platform's Content Security Policy (CSP) protections. The article demonstrates how CSP misconfigurations can be leveraged to achieve cross-site scripting attacks.
A Rails application using ActiveAdmin was silently broken when a strict Content Security Policy (script-src 'self') blocked inline scripts necessary for admin form functionality. The article details the diagnosis process, evaluation of solutions, and implementation of CSP nonces as the fix to balance security and functionality.