Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

This post intends to serve as a guide for a common bypass technique when you're up against a web application firewall (WAF). In the event that the WAF limits what tags and attributes are allowed to be passed, we can use BurpSuite's Intruder functionality to learn which tags are allowed. Table of Contents: Setting the…

Cross Site Scripting ( XSS ) Vulnerability Payload List, by Ismail Tasdelen

XSS: Beating HTML Sanitizing Filters - PortSwigger

Defending against XSS with CSP

Full article: Case Study: Extenuation of XSS Attacks through Various Detecting and Defending Techniques

Securing SPAs with Trusted Types

What is Cross Site Scripting? Definition & FAQs

Bypassing modern XSS mitigations with code-reuse attacks - Truesec

Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

Bypassing modern XSS mitigations with code-reuse attacks - Truesec

Reflected XSS protected by very strict CSP, with dangling markup attack (Video solution, Audio)

XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications - Gupta - 2016 - Security and Communication Networks - Wiley Online Library

A pen tester's guide to Content Security Policy - Outpost24