{"version": "https://jsonfeed.org/version/1", "title": "/dev/posts/ - Tag index - xss", "home_page_url": "https://www.gabriel.urdhr.fr", "feed_url": "/tags/xss/feed.json", "items": [{"id": "http://www.gabriel.urdhr.fr/2025/08/22/concealing-xss-payload/", "title": "Concealing XSS payloads", "url": "https://www.gabriel.urdhr.fr/2025/08/22/concealing-xss-payload/", "date_published": "2025-08-22T00:09:04+02:00", "date_modified": "2025-08-22T00:09:04+02:00", "tags": ["computer", "security", "xss", "waf"], "content_html": "<p>PortSwigger <a href=\"https://portswigger.net/research/concealing-payloads-in-url-credentials\">\u201cConcealing payloads in URL credentials\u201d</a>\ntalks about concealing XSS payloads in URL credentials.\nThe nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters.\nYou can actually conceal the payloads in other places</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2024/11/20/xss-bypass/", "title": "Bypassing XSS filters", "url": "https://www.gabriel.urdhr.fr/2024/11/20/xss-bypass/", "date_published": "2024-11-20T00:00:00+01:00", "date_modified": "2024-11-20T00:00:00+01:00", "tags": ["computer", "security", "xss", "waf"], "content_html": "<p>In this post, I am describing some payloads which\nI used to bypass two distinct XSS filter implementations\n(such as Web Application Firewalls (WAF))\nas well as the approach to design them.</p>\n"}]}