A reflected XSS vulnerability on Twitter's dev.twitter.com was discovered by exploiting inconsistent URL parsing between Location headers and href attributes in 302 redirects, combined with port manipulation and clickjacking to trigger execution. The payload leveraged a trailing slash and special characters to bypass Twitter's XSS filters, earning a $1,120 bounty.
Slacker Slash is a path traversal vulnerability in Bun-based web applications caused by desynchronization between Bun's WHATWG-compliant URL parser (which preserves multiple leading slashes and backslashes) and POSIX-normalizing filesystem operations (which collapse them). Attackers bypass string-based middleware checks like startsWith() using double-slash notation (//admin) or sibling directory prefixes (public_backup) while the filesystem still resolves the requested file.