A bug bounty writeup demonstrating exploitation of Apache Struts CVE-2013-2251 (OGNL injection) against a travel booking website, bypassing WAF detection by embedding the malicious payload within a redirect parameter, followed by privilege escalation to root via kernel CVE-2013-2094 using reverse SSH tunneling.
A persistent XSS vulnerability was discovered in AH.nl's avatar upload feature where user input was not properly sanitized, allowing attackers to inject malicious JavaScript that would execute for all site visitors viewing the attacker's profile. The exploit bypassed firewall filters using obfuscation techniques like 'onerroronerror==' and leveraged jQuery's getScript() to load external malicious code for cookie theft and phishing attacks.
A researcher bypassed Practo's XSS firewall by discovering that the 'oncopy' event handler was not blocked, allowing HTML injection and XSS via the payload <vipin oncopy=prompt(document.domain)>. The vulnerability was reported and fixed quickly.