A creative XSS exploitation technique that transforms a reflected/stored XSS vulnerability in Swisscom's Bluewin webmail into a self-propagating worm via malicious attachment filenames. The worm leverages unescaped angle brackets in attachment metadata to inject JavaScript that can automatically enumerate and send itself to other users' contacts.
DOM-based XSS vulnerability found in a Cloudflare-protected login page where a message parameter is directly inserted into JavaScript's alert() function without sanitization, allowing attackers to break out of the alert statement and inject arbitrary code despite WAF protection.
Multiple DOM-based XSS vulnerabilities discovered in iframe buster implementations from major ad tech vendors (Adform, Eyeblaster, Adtech) due to weak regex and whitelist validation on user-controlled parameters, allowing attackers to inject arbitrary JavaScript on top-tier publisher sites.
A bug bounty hunter discovered a DOM-based XSS vulnerability by using Google dorking to find interesting endpoints, then identifying that user input after the URL fragment (#) was being reflected into an IFRAME tag without proper sanitization, allowing injection of JavaScript payloads.
A researcher discovered a stored XSS vulnerability in Optimizely's experiment preview feature that allowed injecting malicious JavaScript to log keystrokes from a different domain (optimizelypreview.com) by embedding scripts in the user's website.
A researcher discovered a blind XSS vulnerability in GoDaddy's internal customer support panel by injecting XSS payloads into user profile fields (first/last name), which executed when support agents accessed the CRM system. The vulnerability allowed arbitrary actions on customer accounts including domain transfers and account deletion, demonstrating how data poisoning can compromise backend systems drawing from shared data stores.
A researcher discovered a stored XSS vulnerability in Twitter that could be weaponized as a self-propagating worm by exploiting flawed HTML tag stripping in the Welcome Message deeplink feature, combined with a JSONP endpoint vulnerability on a whitelisted subdomain to bypass the CSP policy. The attack chained multiple input validation bypasses and DOM manipulation techniques to achieve arbitrary JavaScript execution.
A security researcher discovered a stored XSS vulnerability in an online store's address field, bypassing a 20-character input length restriction using a short Punycode domain (<script src=//ł.rip>) and crafting a custom cookie-stealing payload. Although the XSS was confirmed to work, the vendor rejected it as 'self-XSS' and marked it as won't fix.