/dev/posts/

Risk of reflected cross site scripting and Content-Security-Policy bypass in the WebSub intent verification

Published:

I was reading the WebSub specification (formerly PubSubHubbub) when I found that there was a risk of reflected browser-side code injection (reflected cross site scripting, reflected XSS) in the WebSub intent verification exchange.

Read more…

Concealing XSS payloads

Published:

PortSwigger “Concealing payloads in URL credentials” talks about concealing XSS payloads in URL credentials. The nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters. You can actually conceal the payloads in other places

Read more…

Bypassing XSS filters

Published:

In this post, I am describing some payloads which I used to bypass two distinct XSS filter implementations (such as Web Application Firewalls (WAF)) as well as the approach to design them.

Read more…

Page 1 of 1 | | | JSON Feed | Atom Feed | RSS Feed