Security researcher discovered an SSRF vulnerability in Yahoo! Guesthouse by finding a SAML endpoint through recon, then exploiting the BouncerSAMLRemoteSessionHost cookie which accepted arbitrary hostname values, causing the backend to make requests to attacker-controlled servers.
A CORS misconfiguration on a mobile app API was discovered that reflected user-controlled origin headers with Access-Control-Allow-Credentials enabled, allowing credential-based cross-origin requests. Though the vulnerability had high attack complexity (requiring manual cookie injection to exploit), it was confirmed through a proof-of-concept that successfully accessed sensitive account information from the attacker's domain.
A researcher discovered a cookie-based XSS vulnerability that became exploitable by moving the vulnerable cookie parameter into URL GET parameters, allowing them to exfiltrate session cookies without needing to chain additional vulnerabilities like CRLF injection.
A stored XSS vulnerability where unsanitized URL parameters (refclickid) are stored in cookies and later reflected in JSON responses within script tags, allowing arbitrary JavaScript execution on any page visit. The vulnerability relies on the application trusting cookie values without sanitization when inserting them into script contexts.
A stored XSS vulnerability in iframe-based cookie-setting functionality is exploited by chaining two parameters (key and value) to bypass WAF filters and Chrome XSS Auditor protections. The attacker uses newline injection and script tag splitting across multiple parameters to inject arbitrary JavaScript execution (alert(document.cookie)).
A writeup describing XSS exploitation via cookie injection where character filtering (equals signs, parentheses) was bypassed using script tag injection and backtick encoding techniques. The attacker eventually used a `-prompt\`1\`-` payload to trigger the vulnerability despite WAF restrictions.
A bug bounty hunter discovered a stored XSS vulnerability on m.uber.com that could be chained with an arbitrary cookie installation vulnerability on business.uber.com to steal oauth2 tokens and compromise any logged-in Uber user's account. The exploit involved injecting malicious cookies via unsanitized server responses and using the XSS payload to extract sensitive authentication cookies from victims.
Technical writeup demonstrating how arbitrary XSS vulnerabilities in Outlook and Twitter were exploited by chaining cookie injection attacks with browser-specific parsing differences. The researchers discovered endpoints that reflected user input into Set-Cookie headers, then leveraged Safari's comma-delimited cookie parsing to inject malicious ClientId/session cookies that would execute stored XSS payloads on victim browsers.