self-xss – Page 2 – WindowsTechs.com

Self-XSS From File Upload Name

Posted on September 7, 2020 by Emanuel Beni

I encountered this type of vulnerability a couple of times but was not able to fully exploit it.
This vulnerability is a self-xss which is triggered from file names. E.g. If I were to upload a file named [xss-payload].png, it will be execu… Continue reading Self-XSS From File Upload Name→

Is this considered DOM-XSS or self-XSS or both?

Posted on June 11, 2020 by Maicake

SCENARIO:

A web page shows an error login page using these javascript lines

How was this mXSS on Google Search carried out?

Posted on June 11, 2020 by Fitz Watson

I was reading about bug bounties that have been reported in the past and this one caught my eye as it seemed interesting.

Mutation XSS in Google Search

According to what I could understand, this is what the attacker entered: <noscript… Continue reading How was this mXSS on Google Search carried out?→

Bypass XSS in script tag

Posted on March 19, 2020 by Ashish Kataria

user input can be inputted with xss payload.

Filter is doing following replaces:
i) ” with \”
ii) \ with \\
iii) / with \/

I … Continue reading Bypass XSS in script tag→

Clickjacking and XSS on file upload input?

Posted on December 9, 2019 by Pong

I reported a self-xss on file uploader input to a bug bounty company and they said that they will only accept it if i can find a good clickjacking exploit for that input. My question is: Is it possible to make a clickjacking … Continue reading Clickjacking and XSS on file upload input?→

CVSS Score for self-XSS (stored XSS)

Posted on May 27, 2019 by Pathirennehelage Nadeeshani

I have a web application which is vulnerable to stored, self-XSS attack. Proper encoding is not done In the place where the data from a database (set by the same user) is added to response.

However, this XSS can be consider… Continue reading CVSS Score for self-XSS (stored XSS)→

Is eval() in JavaScript considered self-XSS?

Posted on March 29, 2019 by knadt

I found eval() in the JavaScript code of a site in HackerOne.

I could not find the where the function is called, so to test the vulnerability I went to console in Chrome and wrote the method and a JavaScript alert. The alert… Continue reading Is eval() in JavaScript considered self-XSS?→

How to prevent self-XSS?

Posted on March 13, 2018 by Harwee

I am creating a website which solely uses REST api for all the features and functionality, from signup and login to fetching data and populating the webpage using Mustache as template engine for objects.

Authentication is … Continue reading How to prevent self-XSS?→

Facebook’s warning of self-xss

Posted on April 25, 2017 by Luke

I happened to open my browser console on Facebook recently and was greeted with the following message.

Stop!

This is a browser feature intended for developers. If someone told you to copy and paste something here to … Continue reading Facebook’s warning of self-xss→