Contents
References
- Portswigger XSS
- Portswigger XSS cheat sheet
- [gitlab] - Stored XSS on PyPi simple API endpoint
- [gitlab] Stored XSS in markdown when redacting references
- Self XSS in Shopify
- Stored XSS in collabora via user name
- Stored XSS on upload files leads to steal cookie
- Reflected XSS in https://blocked.myndr.net
- Potential unprivileged Stored XSS through wp_targeted_link_rel
- Reflected XSS at https://pay.gold.razer.com escalated to account takeover
- Stored XSS vulnerability in comments on *.wordpress.com
- Wordpress Cross-Site Scripting Vulnerability Notification II
- XSS in Shopify while logging using Google
- Stored XSS in Wiki pages
- Stored XSS on https://core.trac.wordpress.org
- Zomato - Self-Stored XSS - Chained with login/logout CSRF
- Blind XSS in one of the Admin Dashboard
- Reflected XSS on https://www.zomato.com
- Reflected XSS on $Any$.myshopify.com/admin
- XSS on www.paypal.com/paypalme/my/landing
- Tinymce 2.4.0 XSS in Shopify
- Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP
- Reflected XSS - gratipay.com
- XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
- Stored XSS on developer.uber.com via admin account compromise
- Html Injection and Possible XSS in sms-be-vip.twitter.com
- XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers
- $25K Instagram Almost XSS Filter Link — Facebook Bug Bounty
- The Bug That Exposed Your PayPal Password
- XSS in GMail’s AMP4Email via DOM Clobbering
- From Parameter Pollution to XSS
- Stored XSS on Snapchat
- Stored XSS, and SSRF in Google using the Dataset Publishing Language
- How I found a stored XSS on thousands of webshops
- hxp CTF 2018: µblog
- Cross-Site Scripting to Local File Inclusion on Trello’s App
- App Maker and Colaboratory: a stored Google XSS double-bill
- Managed Apps and Music: a tale of two XSSes in Google Play
- [dev.twitter.com] XSS
- Uber XSS via Cookie
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities
- Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded
- Uber XSS 7000$
- AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2
- Coming across an XSS vulnerability at Google sites
- Combining host header injection and lax host parsing serving malicious data
- Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)
- Yahoo Mail stored XSS #2
- Yahoo Mail stored XSS
- Google Account Recovery XSS
- Google RPO Gadgets Lead to XSS
- Sleeping stored Google XSS Awakens a $5000 Bounty
- XSS via Host header - www.google.com/cse
- Google, Open Redirects that Matter
- How I got the Bug Bounty for Mega.co.nz XSS
- Google Account Recovery Vulnerability