Technical writeup demonstrating a complete XSS worm built against Atmail webmail client that bypasses HTML sanitization via quote-mixing across multiple img tags and self-propagates by harvesting contacts and sending malicious emails with CSRF tokens. The attack chains content-filtering evasion, JavaScript execution, contact extraction, and automated worm distribution.
Stored XSS vulnerability discovered in RunKeeper's user profile name field that reflects malicious payloads to all users viewing the profile, combined with site-wide CSRF issues enabling creation of an XSS worm that forces victims to follow attacker accounts. The vulnerability was originally reported in 2013, but a bypass was found in 2015.
A researcher discovered a stored XSS vulnerability in Twitter that could be weaponized as a self-propagating worm by exploiting flawed HTML tag stripping in the Welcome Message deeplink feature, combined with a JSONP endpoint vulnerability on a whitelisted subdomain to bypass the CSP policy. The attack chained multiple input validation bypasses and DOM manipulation techniques to achieve arbitrary JavaScript execution.