A researcher discovered an SSRF vulnerability in PDFReactor that allowed reading local files including /etc/shadow and SSH keys by injecting iframe tags with file:// protocol wrappers, ultimately achieving RCE by stealing root-level SSH credentials.
An SSRF vulnerability was discovered in a PDF generator where the attacker bypassed character filters by exploiting a mobile app to inject an iframe payload using forward-slash spacing, then leveraged DNS rebinding to access internal endpoints like elmah.axd and exfiltrate error logs via the web app's PDF function.
XSS vulnerability in InternShala discovered via a JSON endpoint with incorrect text/html content-type header, exploited through multiple filter bypasses including whitespace replacement with +, confirm() instead of alert(), backticks for parentheses, and URL encoding for closing tags.
Researcher found a chain of vulnerabilities in Legal Robot: HTML injection leading to open redirect via META refresh tags, combined with a misconfigured WebSocket Origin header allowing CSRF attacks from different origins. The vulnerability chain required no XSS execution due to CSP but achieved account logout and malicious script execution through forced redirects.
A security researcher chained stored iframe injection with CSRF to achieve account takeover by injecting a malicious iframe into a discussion forum that, when loaded by an admin, silently executed a CSRF attack to change the victim's email address. The attack exploited HTML injection in the reply feature combined with an unprotected email change endpoint.
Researcher exploited missing X-FRAME-OPTIONS headers on API endpoints disclosing sensitive user data (credit cards, emails, addresses) by embedding them in invisible iframes within a fake lottery page, using social engineering to trick users into copying and pasting their data, earning $1800 across multiple reports.
A researcher achieved account takeover by combining clickjacking (missing X-Frame-Options header) with parameter manipulation to trick users into changing their account email. The attacker loaded the profile change page in an invisible iframe and overlaid a fake button to intercept clicks, allowing email hijacking without user consent.
A researcher chained CSRF token disclosure from an unprotected API endpoint with clickjacking to trick users into hijacking their own CSRF tokens and submitting account modification requests. The attack uses a fake lottery page with a hidden iframe to exfiltrate tokens via manual copy-paste, then automatically submits a form with the stolen token.
Stored blind XSS vulnerability in Telegram iOS app allowing arbitrary HTML/JavaScript execution via unvalidated HTML files in webview, enabling device fingerprinting, user activity tracking, and IP geolocation. Successfully exploited by uploading malicious HTML file that executed JavaScript to extract navigator object data and communicate with attacker server.
A researcher bypassed an XSS filter on a HackerOne private program that was blocking payloads containing event handlers by using nested script tag obfuscation (e.g., <<scrip<scriptT>alert(1);) to execute arbitrary JavaScript.
A stored XSS vulnerability was discovered in GameSkinny's article/post creation feature, allowing attackers to inject SVG payloads (e.g., `"><svg/onload=alert(1)>`) that execute in the browser when articles are previewed or shared with other users, potentially enabling session hijacking and cookie theft. The vulnerability was disclosed publicly after the vendor failed to respond to responsible disclosure attempts.
A researcher discovered a blind stored XSS vulnerability in a form-building service by bypassing quote filters using the javascript: URI scheme merged with legitimate URLs, allowing arbitrary JavaScript execution on admin pages. The technique leverages acceptance of alternative URI schemes (javascript:https://) combined with rendering in anchor tags to inject payloads that execute when accessed by form creators.
Researcher bypassed XSS protection filters using an iframe payload with data URI encoding to achieve stored XSS in a comment box, earning a $150 bounty within 30 minutes. The payload exploited the target's allowlisting of iframe tags while blocking standard script injection vectors.
A reflected XSS vulnerability was found on sharjah.dubizzle.com (OLX property) where unsanitized user input was reflected in an HTML link tag. The vulnerability exploited the HTML accesskey attribute combined with onclick handler to execute arbitrary JavaScript when users pressed ALT+SHIFT+X.
Tutorial demonstrating XSS exploitation by converting HTML defacement payloads into charcode-encoded form using String.fromCharCode() to bypass XSS filters, with a real bug bounty example showing successful exploitation.
A persistent XSS vulnerability was discovered in AH.nl's avatar upload feature where user input was not properly sanitized, allowing attackers to inject malicious JavaScript that would execute for all site visitors viewing the attacker's profile. The exploit bypassed firewall filters using obfuscation techniques like 'onerroronerror==' and leveraged jQuery's getScript() to load external malicious code for cookie theft and phishing attacks.
Jonathan Bouman discovered a persistent XSS vulnerability in LinkedIn's article embed feature by exploiting unvalidated Open Graph tags, specifically the og:video tag, to inject malicious HTML and create fake phishing login screens that could steal user credentials. The vulnerability leverages LinkedIn's content embedding functionality which processes Open Graph metadata without proper validation, allowing attackers to inject arbitrary content into iframes on LinkedIn articles.
A reflected XSS vulnerability on Amazon's masclient endpoint (/gp/masclient/dp/) allows attackers to inject arbitrary HTML/JavaScript by exploiting insufficient input validation and capitalization of product IDs. The author demonstrates cookie theft and session hijacking via SVG onload attributes with HTML entity encoding to bypass browser XSS protections.
A reflected XSS vulnerability was discovered on Philips.com through enabled Adobe Experience Manager debug mode in production, allowing HTML injection via the debug=layout parameter. The attack bypassed ModSecurity and Akamai WAF by using a <body onpointerenter> tag combined with jQuery.getScript() to load external JavaScript, enabling phishing and credential theft from authenticated users.
A bug bounty hunter discovered a stored XSS vulnerability in Snapchat's Ads domain by injecting a malicious payload into the Business Name field during account creation, which executed when organization invitations were sent to other users.
A self-XSS vulnerability discovered on Indeed.com's job alert creation feature where injected JavaScript (via img onerror handler) could execute in the user's browser and steal cookies. The author documents their first bug bounty experience, including lessons learned about proper vulnerability reporting and escalation.
A researcher bypassed Practo's XSS firewall by discovering that the 'oncopy' event handler was not blocked, allowing HTML injection and XSS via the payload <vipin oncopy=prompt(document.domain)>. The vulnerability was reported and fixed quickly.
A stored XSS vulnerability in EspoCRM 5.6.8's email signature field (exploited via polyglot payload bypassing sanitization) allows attackers to steal authentication cookies when victims reply to emails, enabling complete account takeover of any user including admins. The vulnerability stems from unprotected HttpOnly cookies containing Base64-encoded credentials that can be extracted via malicious JavaScript.
Researchers discovered and exploited a DOM XSS vulnerability in Tesla's forums (forums.tesla.com) via CKEditor's InsertHtml function, bypassing HTML filters with a crafted img tag payload to load arbitrary JavaScript and embed a DOOM game in the page. The vulnerability was a self-XSS with limited impact but demonstrated creative filter evasion techniques.
A researcher discovered a stored XSS vulnerability in a web application's internal notification system by injecting malicious HTML into a company name field. When users were invited to join the company, the unfiltered notification page executed the injected JavaScript payload for all invited users, demonstrating a critical vulnerability that a previous researcher had missed despite finding a related email injection issue.
A persistent XSS vulnerability on eBay's My World profile section exploited a blacklist-based HTML filter that failed to block deprecated tags like <plaintext>, <fn>, and <credit>. The attacker chained this with event handlers, String.fromCharCode/eval to bypass character limits, missing CSRF protection, and unHTTPOnly cookies to create a self-propagating worm that could steal session tokens.
Facebook's badges page was vulnerable to stored XSS via an unencoded 'layout' POST parameter that was directly saved to the database and rendered in HTML class attributes, allowing attackers to inject arbitrary HTML/JavaScript and perform actions on behalf of victims.
Article title indicates it covers XSS filtering bypass techniques at anchor tags, but the provided content is a Google cache error page in German with no actual article content accessible.
A technique to escalate self-XSS in Moodle into full XSS against arbitrary users by exploiting double session cookies with different paths combined with login CSRF or impersonation functionality, allowing arbitrary JavaScript execution in victim context for full account compromise.
A writeup demonstrating how to escalate a self-stored XSS vulnerability in an account profile field to steal credentials from other users by injecting a phishing form via iframe and exfiltrating login data to an attacker-controlled server.