Researcher found three vulnerabilities at Yahoo's Brightroll service: two RCEs via JSON injection in a message queue system (bypassing command filters using Unicode escapes), and an SSRF vulnerability in image resizing that allowed arbitrary file reads via curl flag injection. The third vulnerability was nearly an RCE but limited to file disclosure without execution.
A researcher demonstrates an SSRF bypass technique against Microsoft's Bing Webmaster Central by using the nip.io DNS service to resolve non-standard loopback addresses (127.127.127.127) and bypass IP-based filters, allowing enumeration of internal ports and directories on the application server.
XSS vulnerability in InternShala discovered via a JSON endpoint with incorrect text/html content-type header, exploited through multiple filter bypasses including whitespace replacement with +, confirm() instead of alert(), backticks for parentheses, and URL encoding for closing tags.
A researcher bypassed an XSS filter on a HackerOne private program that was blocking payloads containing event handlers by using nested script tag obfuscation (e.g., <<scrip<scriptT>alert(1);) to execute arbitrary JavaScript.
A researcher discovered a blind stored XSS vulnerability in a form-building service by bypassing quote filters using the javascript: URI scheme merged with legitimate URLs, allowing arbitrary JavaScript execution on admin pages. The technique leverages acceptance of alternative URI schemes (javascript:https://) combined with rendering in anchor tags to inject payloads that execute when accessed by form creators.
A reflected XSS vulnerability was discovered on Yahoo Finance's mobile version via the /quote/ endpoint. The attacker bypassed filters that converted lowercase characters to uppercase by using HTML entity encoding (e.g., a for 'a') to evade the case-sensitivity filter and successfully execute JavaScript.
A researcher exploited a reflected XSS vulnerability combined with CSRF to steal httpOnly session cookies by leveraging the server's practice of returning session tokens in response bodies. The attack uses String.fromCharCode concatenation to bypass character filtering and executes XMLHttpRequest to extract the session cookie from login endpoint responses.
A reflected XSS vulnerability in a three-tier web application was exploited by bypassing input filters that blocked special characters (<, >, ") using newline encoding (%0A) and conditional logic manipulation to inject an alert() payload within a script tag.
Researchers discovered and exploited a DOM XSS vulnerability in Tesla's forums (forums.tesla.com) via CKEditor's InsertHtml function, bypassing HTML filters with a crafted img tag payload to load arbitrary JavaScript and embed a DOOM game in the page. The vulnerability was a self-XSS with limited impact but demonstrated creative filter evasion techniques.
Technical writeup on bypassing uppercase character filters in URL-based XSS vulnerabilities using JSFuck obfuscation techniques. The authors demonstrate constructing a complete alphabet from JavaScript primitive values and achieving arbitrary code execution with jQuery's getScript to escalate a Low severity XSS to Critical by loading external malicious scripts.
Article title indicates it covers XSS filtering bypass techniques at anchor tags, but the provided content is a Google cache error page in German with no actual article content accessible.
A security researcher documents bypassing an XSS filter on a private program by discovering that a search parameter was reflected unencoded in a `<dfn>` tag, then using double URL encoding and backticks to replace parentheses in a `<script>alert(0)</script>` payload to execute XSS.