xss – WindowsTechs.com

BidenCash Market Dumps 1 Million Stolen Credit Cards on Russian Forum

Posted on April 16, 2025 by Waqas

BidenCash dumps almost a million stolen credit card records on Russian forum, exposing card numbers, CVVs, and expiry dates in plain text with no cardholder names. Continue reading BidenCash Market Dumps 1 Million Stolen Credit Cards on Russian Forum→

Is it acceptable to ignore potential XSS payloads if they are not executed on our side?

Posted on April 15, 2025 by IT Sec

I’m responsible for a web application where users can upload a file containing data in a specific syntax, which then automatically fills out a form instead of requiring manual input.
The issue is that it’s possible to include a malicious s… Continue reading Is it acceptable to ignore potential XSS payloads if they are not executed on our side?→

How to exploit XSS javascript:-URIs [closed]

Posted on April 3, 2025 by superuser

How would one exploit the following Google Firing Range vulnerable XSS page? (https://public-firing-range.appspot.com/dom/javascripturi.html)
The code is simple:
<html>
<head><title>javascript:-URI</title></hea… Continue reading How to exploit XSS javascript:-URIs [closed]→

XSS CTF – How to execute payload inside an HTML comment (blacklisted words & encoded characters)

Posted on March 14, 2025 by drmr

I’m trying to solve a CTF challenge that requires me to obtain the admin cookie through XSS. Here’s the situation:
-Main form: When I enter any input, it gets reflected in the page, but it is inserted inside an HTML comment. For example, i… Continue reading XSS CTF – How to execute payload inside an HTML comment (blacklisted words & encoded characters)→

XSS working in browser but not through script

Posted on March 11, 2025 by Zanna

I’m working on a CTF where to obtain the flag I need to trigger the admin user of a Flask app to reveal it.
The way this has to be done is through a CSRF + XSS chain attack, as the validation script first login on the app, then navigates t… Continue reading XSS working in browser but not through script→

Jinja2: safe from XSS/SSTI if using select_autoescape and context dictionary?

Posted on March 4, 2025 by Nils Deschrijver

In a FlaskRestX API for an e-commerce site, I use jinja2 to generate a HTML template (to create a PDF purchase receipt). After reading the docs, and asking various AI models, I am still not convinced that my code is safe from XSS (Cross-Si… Continue reading Jinja2: safe from XSS/SSTI if using select_autoescape and context dictionary?→

Over 350 High-Profile Websites Hit by 360XSS Attack

Posted on February 28, 2025 by Deeba Ahmed

360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government,… Continue reading Over 350 High-Profile Websites Hit by 360XSS Attack→

Sites of Major Orgs Abused in Spam Campaign Exploiting Virtual Tour Software Flaw

Posted on February 27, 2025 by Eduard Kovacs

XSS vulnerability allowed a threat actor to redirect users to arbitrary domains.
The post Sites of Major Orgs Abused in Spam Campaign Exploiting Virtual Tour Software Flaw appeared first on SecurityWeek.
Continue reading Sites of Major Orgs Abused in Spam Campaign Exploiting Virtual Tour Software Flaw→

Dalfox: Open-source XSS scanner

Posted on February 26, 2025 by Mirko Zorz

DalFox is an open-source tool for automating the detection of XSS vulnerabilities. With powerful testing capabilities and a wide range of features, it makes scanning, analyzing parameters, and verifying vulnerabilities faster and easier. “The uni… Continue reading Dalfox: Open-source XSS scanner→

Web Server Generic Cookie Injection

Posted on February 24, 2025 by Anonymous

After running a Nessus scan, one of its plugins checks for cookie injection called "Web Server Generic Cookie Injection" (https://www.tenable.com/plugins/nessus/44135)
The scan shows that this issue exists on a site. It shows tha… Continue reading Web Server Generic Cookie Injection→