A researcher exploited CORS misconfiguration on a Netgear API endpoint that accepted subdomain origins in combination with reflected XSS on a subdomain to exfiltrate sensitive user data (email, age, gender, DOB) via XMLHttpRequest with credentials.
Researcher demonstrates escalation of a subdomain takeover on impact.postmates.com (GitHub pages vulnerability) into session cookie theft by leveraging document.domain relaxation in the parent domain postmates.com, enabling account takeover despite the subdomain being out-of-scope. The technique exploits the fact that if the main domain explicitly sets document.domain, a compromised subdomain can set it to match and access sensitive cookies via JavaScript.
Demonstrates stealing authentication tokens stored in browser local storage via stored XSS on an admin account, using an img onerror payload to exfiltrate data to an attacker server. The researcher found this vulnerability on a Bugcrowd private program and was awarded $800.