cross-site-scripting

Cross-Site Scripting https://wiki.owasp.org/index.php/Cross-site_Scripting_(XSS)

References Hacker101 - XSS Tutorial Acunetix - Cross-site Scripting (XSS) Attackl A timing attack with CSS selectors and Javascript Examples [2021] - XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers [2020] - [gitlab] - Stored XSS on PyPi simple API endpoint [2020] - [gitlab] Stored XSS in markdown when redacting references [2020] - Self XSS in Shopify [2020] - Stored XSS in collabora via user name [2020] - $25K Instagram Almost XSS Filter Link — Facebook Bug Bounty [2020] - Stored XSS on upload files leads to steal cookie [2020] - Reflected XSS in https://blocked.myndr.net [2019] - Potential unprivileged Stored XSS through wp_targeted_link_rel [2019] - The Bug That Exposed Your PayPal Password [2019] - Reflected XSS at https://pay.gold.razer.com escalated to account takeover [2019] - XSS in GMail’s AMP4Email via DOM Clobbering [2019] - Stored XSS vulnerability in comments on *.wordpress.com [2019] - Wordpress Cross-Site Scripting Vulnerability Notification II [2019] - XSS in Shopify while logging using Google [2019] - Stored XSS in Wiki pages [2019] - Stored XSS on https://core.trac.wordpress.org [2019] - Zomato - Self-Stored XSS - Chained with login/logout CSRF [2019] - From Parameter Pollution to XSS [2018] - Stored XSS on Snapchat [2018] - Stored XSS, and SSRF in Google using the Dataset Publishing Language [2018] - Blind XSS in one of the Admin Dashboard [2018] - How I found a stored XSS on thousands of webshops [2018] - Reflected XSS on https://www.zomato.com [2018] - Reflected XSS on $Any$.myshopify.com/admin [2018] - XSS on www.paypal.com/paypalme/my/landing [2018] - hxp CTF 2018: µblog [2017] - Cross-Site Scripting to Local File Inclusion on Trello’s App [2017] - App Maker and Colaboratory: a stored Google XSS double-bill [2017] - Managed Apps and Music: a tale of two XSSes in Google Play [2017] - [dev.twitter.com] XSS [2017] - Tinymce 2.4.0 XSS in Shopify [2017] - Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP [2017] - Reflected XSS - gratipay.com [2017] - Uber XSS via Cookie [2017] - XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" [2017] - Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities [2016] - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded [2016] - Uber XSS 7000$ [2016] - AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 [2016] - Coming across an XSS vulnerability at Google sites [2016] - Combining host header injection and lax host parsing serving malicious data [2016] - Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) [2016] - Yahoo Mail stored XSS #2 [2016] - Yahoo Mail stored XSS [2016] - Stored XSS on developer.uber.com via admin account compromise [2016] - Html Injection and Possible XSS in sms-be-vip.twitter.com [2016] - Google Account Recovery XSS [2016] - Google RPO Gadgets Lead to XSS [2016] - Sleeping stored Google XSS Awakens a $5000 Bounty [2015] - XSS via Host header - www.google.com/cse [2013] - Google, Open Redirects that Matter [2013] - How I got the Bug Bounty for Mega.co.nz XSS [2013] - Google Account Recovery Vulnerability