How I Built An XSS Worm On Atmail - Bishop Fox  xss

7 years ago | comments | bishopfox.com | Score: 6 Reddit


XSS through Subdomain Takeover  xss

7 years ago | comments | blog.sweepatic.com | Score: 8 Reddit


Excess XSS: A comprehensive tutorial on cross-site scripting  xss

7 years ago | 1 comment | excess-xss.com | Score: 14 Reddit


Non-alphanumeric Javascript using Japanese Katakana  xss

7 years ago | comments | github.com | Score: 8 Reddit


hometown sky  xss

7 years ago | 4 comments | i.redd.it | Score: Reddit


Du doan ket qua xo so Vung Tau chinh xac nhat thu 3 ngay 13/6/2017  xss

7 years ago | 2 comments | self.xss | Score: Reddit


XSS Attacks: The Next Wave  xss

7 years ago | comments | snyk.io | Score: 11 Reddit


DOMXSS on Shopify - writeup  xss

7 years ago | comments | hackerone.com | Score: 7 Reddit


The Most Common XSS Vulnerability in React.js Applications  xss

7 years ago | comments | medium.com | Score: 2 Reddit


XSS over SMS: Hacking Text Messages in Verizon Messages  xss

7 years ago | comments | randywestergren.com | Score: 1 Reddit


Getting creative with Drupal XSS  xss

7 years ago | comments | mortenson.coffee | Score: Reddit


XSS Explained from Theory to Practice  xss

7 years ago | 1 comment | blog.singular.uk | Score: 12 Reddit

Latest Comment

<img src=”javascript:alert(“Evil”);”>

That won't work in any modern browsers that I'm aware of, some of the other POCs won't either.

Wouldn't hurt to explain the different types of XSS since you mentioned them.


7 years ago


Shuriken - XSS payload testing tool with screenshot capture ability &amp; logging, feedback welcome!  xss

7 years ago | 6 comments | github.com | Score: 10 Reddit

Latest Comment

Hi shogunlab , Its a great tool to automate XSS stuff. I've some points for you

False positives are ok. But getting some true negatives :/ <img src=x onerror=alert(1)> is a valid payload But engine expects me to insert <img src="x" onerror="alert(1)"> to mark it as valid XSS.

Ref:http://imgur.com/a/mOI3V


7 years ago


XSS in Invision Power Board (CVE-2017-8897,8898,8899)  xss

7 years ago | comments | sxcurity.pro | Score: 2 Reddit


Help bypassing a filter  xss

7 years ago | 1 comment | self.xss | Score: 2 Reddit

Latest Comment

'+alert(1)+'

where the + is an actual plus sign and not a space.

<script>var test = {'a': 'a', 'b': ''+alert(1)+'', 'c': 'c'}</script>


7 years ago


N00b question on Xsscrapy  xss

7 years ago | 6 comments | self.xss | Score: 6 Reddit

Latest Comment

Let's break down the payload first:

1zqjre - this is a unique value that is easily grepped. The scanner likely searches for this in the response to see if a payload is reflected without alteration.

'"(){} - reserved characters in javascript, which if they're not properly encoded in the response, can be used to escape out of a JS statement and hijack execution. The point here is not to get execution but to test if the site encodes/strips/blacklists these or not.

<x> - testing to see if there's logic that explicitly detects and bans html tags. If this appears in the response unaltered then you may have luck inserting a script tag, img tag, etc. to get execution. Some WAFs, such as IIS, will ban any input of the form <tag*.

:/1zqjre;9 - more reserved characters to test for rejection or encoding, and the unique value again for easy grepping.

Type: form - this means you're injecting into an HTML form, aka a POST request.

Injection point: searchFor - this is the POST parameter the scanner is targeting.


7 years ago


Steam fixes XSS vulnerability  xss

7 years ago | comments | reddit.com | Score: 12 Reddit


I found a XSS on my university's website - best way to report without potentially being liable for 'hacking'?  xss

7 years ago | 13 comments | self.xss | Score: 9 Reddit

Latest Comment

Fuckers will accuse you of hacking anyway. Send them an anonymous email, with encr with OpenPGP, or if they are not smart enough, just toss a letter into their mailbox (printed of course)


7 years ago


Coinmama Stored XSS  xss

7 years ago | 1 comment | yellowhttp.tumblr.com | Score: 6 Reddit

Latest Comment

Exploits? I'm seeing MitM at the very least. If their SQL is shoddy then there is much more to worry about.


7 years ago


You think you know XSS and Browsers? Win 500-1000Eur for solving this challenge.  xss

8 years ago | 4 comments | xssmas2016.cure53.de | Score: 10 Reddit

Latest Comment

I can't bypass the jQuery CDN, the rest was easy. Anyone succeeded?


7 years ago


Requesting feedback on new anti-XSS project: Outbound-Rules: Protect your admin dashboards from XSS  xss

8 years ago | 5 comments | github.com | Score: 2 Reddit

Latest Comment

Why not just implement a CSP on admin dashboard?


8 years ago


postMessage XSS on a million sites  xss

8 years ago | comments | labs.detectify.com | Score: 7 Reddit


Circumventing angle bracket encoding in url  xss

8 years ago | comments | self.xss | Score: 2 Reddit


Stored XSS in the popular InVision App  xss

8 years ago | comments | medium.com | Score: 2 Reddit


Google creates an online game to teach you about XSS as part of bug bounty program  xss

8 years ago | 5 comments | xss-game.appspot.com | Score: 28 Reddit

Latest Comment

Can u guys give me some tips what is easiest way to learn XSS, I am now to web app hacking and have little programing knowledge :D


8 years ago


Any one know a walkthrough or a solution for xssgolf? I'm going crazy with it  xss

8 years ago | 5 comments | xssgolf.appspot.com | Score: 11 Reddit

Latest Comment

Hm, anyone got a hint for chall2? (spoilers below)

I was able to get it to show an iframe from a remote server with xss=<iframe/src=//3497454484> (link), but due to the same origin policy I don't think I can solve the challenge that way. Doesn't help that 'on' and 'script' are filtered as well as all whitespace.


8 years ago


Jims Pool Care Service Pool Maintenance and Cleaning  xss

8 years ago | comments | jimspoolcare.com.au | Score: Reddit


devastating DOM XSS in wix.com  xss

8 years ago | comments | contrastsecurity.com | Score: 18 Reddit


Can I submit XSS to Reddit?  xss

8 years ago | 5 comments | self.xss | Score: 3 Reddit

Latest Comment

see this How to get banned from Reddit.com: Test a vulnerability on r/asknetsec subscribers so you don't banned like that guy
https://www.reddit.com/wiki/whitehat
....
as u/paganpan said it better to creating a self-hosted instance for testing, The install script seems pretty simple: https://github.com/reddit/reddit/wiki/reddit-install-script-for-Ubuntu


8 years ago


XSS by Example  xss

8 years ago | comments | technopy.com | Score: 4 Reddit


XSS via Referrer After Anniversary Update  xss

8 years ago | comments | mksben.l0.cm | Score: 2 Reddit


XSS in Gifs  xss

8 years ago | 2 comments | blog.zsec.uk | Score: 14 Reddit

Latest Comment

Should probably mark that this goes to a page with a nsfw logo on it...


8 years ago


CSP Evaluator  xss

8 years ago | comments | csp-evaluator.withgoogle.com | Score: 3 Reddit


Stored XSS on Pornhub  xss

8 years ago | 1 comment | blog.zsec.uk | Score: 15 Reddit

Latest Comment

Congrats! I found quite a few XSS bugs, but turns out that other researchers kept beating me to it. This one was one of them! I can imagine a lot of people tried attacking the site when the bounty was announced just for the fun of it. Didn't think to look at other subdomains like your other post mentions, so I'll keep that in mind next time

One fun one I found (which was also reported) was that you could change the view key ID of a video and whether a video is for premium users only.


8 years ago


Calling Remote Script With Event Handlers  xss

8 years ago | comments | brutelogic.com.br | Score: 6 Reddit


MIME Sniffing?  xss

8 years ago | 3 comments | self.xss | Score: 1 Reddit

Latest Comment

Other ways than what?

MIME type will be in the Content-Type header.


8 years ago


Jumping Over The Fence - An Amazing Journey After An Open Redirect  xss

8 years ago | 3 comments | fogmarks.com | Score: 1 Reddit

Latest Comment

Why post this to /r/xss?


8 years ago


Four Horsemen of the Web Apocalypse  xss

8 years ago | comments | brutelogic.com.br | Score: 7 Reddit


How to execute HTML decoded js?  xss

8 years ago | 8 comments | self.xss | Score: 7 Reddit

Latest Comment

If you are using Chrome, that browser has the source rendering quirk where you might see a '<' in the source code, but if you look at the response on the wire, it is actually sending '<'. This has thrown me into the same loop as you. Check to see if you are not seeing the same feature.

This is the reason why I don't use Chrome to test most stuff unless I want to confirm something.


8 years ago


Anyway to execute code inside quotes in JS  xss

8 years ago | 5 comments | self.xss | Score: Reddit

Latest Comment

What about crlf characters?


8 years ago


CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy  xss

8 years ago | 1 comment | research.google.com | Score: 3 Reddit

Latest Comment

I would in no way recommend to use CSP but only in conjunction with the existing proper escaping/validation of input and encoding of output.

Yeah I see that CSP can be bypassed in various ways, does anyone have a compiled list of this?


8 years ago


infosectoughguy: Cool XSS Tricks with Anonymous Javascript Functions  xss

8 years ago | 3 comments | infosectoughguy.blogspot.co.za | Score: 4 Reddit

Latest Comment

TIL http://www.jsfuck.com/

Good stuff


8 years ago


The Easiest Way to Bypass XSS Mitigations  xss

8 years ago | comments | brutelogic.com.br | Score: 12 Reddit


XSS Authority Abuse  xss

8 years ago | comments | brutelogic.com.br | Score: 8 Reddit


Lets take a moment to remember /u/xssfinder and his Reddit comment bomb.  xss

8 years ago | comments | self.xss | Score: 19 Reddit


" THE BOX ANONYMOUS MESSAGING SYSTEM "  xss

8 years ago | comments | theboxmmvl6zg3wi.onion | Score: Reddit


Brute's XSS Cheat Sheet  xss

8 years ago | 1 comment | brutelogic.com.br | Score: 17 Reddit

Latest Comment

Well thank you, good sir!


8 years ago


Is the payload for DOM based XSS defined to originate from only inside the browser or even outside of it  xss

8 years ago | 2 comments | self.xss | Score: 6 Reddit

Latest Comment

I replied to a similar question in an /r/asknetsec thread (here). There are other answers, but mine is the best obviously, lol. I'll include it below.

I think it is a muddy topic, and it probably is a disservice to everyone to classify DOM-based XSS as a different "type" - as it can be both DOM-based and reflected, for example. I don't like your definition which relies on tags/contexts. Here's what I said in the other comment - do you think it answers your question?


Right click on this page, click inspect element (or whatever it is in your browser). That is the DOM. It is basically the HTML of the page, right? Well, now right click and select view source. That is the HTML that the server sent to you, and the DOM is what was rendered by your browser. Reflected XSS shows up in view source (and in the DOM). DOM-based would not exist in the source, because the server is not reflecting it back to you, it exists only in the DOM.

How does that happen? Well, let's say I made a very basic webpage. Looks like this:

<html>
<body>
    <script>
        //write whatever comes after the (#) in the URL to the DOM
        document.write('<p>' + window.location.hash.substring(1) + '</p>');
    </script>
</body>
</html>

So, that is the source of the page... but if you were to add something after the hash sign in the URL, it would get written to the DOM. So if you requested that page like this: http://example.com/dom.html#howdy the source of the page would be the same as above, but the DOM would look something like this:

<html>
<head></head>
<body>
    <script>
        document.write('<p>' + window.location.hash.substring(1) + '</p>');
    </script>
    <p>howdy</p>
</body>
</html>

Notice how the p tag exists in the DOM, but not the source.

A big part of the confusion is that DOM-based XSS can be reflected through a parameter to a user... but it could also be stored (it is usually reflected). Basically, you have to write some bad javascript to make your page vulnerable to DOM-based XSS, and you write bad server-side code to make yourself vulnerable to the other kinds.


8 years ago


Ghetto XSS Filter Bypass Cheatsheet  xss

8 years ago | 1 comment | d3adend.org | Score: 13 Reddit

Latest Comment

nice sheet nigga


8 years ago


Evade filter that deletes everything inside &lt;&gt;  xss

8 years ago | 5 comments | self.xss | Score: 5 Reddit

Latest Comment

It's really a pain to test without having the actual site to try things. What about injecting a null byte or parameter pollution?

ex : ?q=%00<asdf>and ?q=<asdf>&q=<fdsa>

Does it do anything fancy with links? Might be able to bypass it with something like ?q=http://thesite.com&x=<asdfg>


8 years ago