Over the past 10+ years, Cross-Site Scripting has made its way into just about every ‘top-ten vulnerability’ list and has consistently starred in headlines and POCs. XSS vulnerabilities are also commonly submitted through bug bounty programs, and many write them off as ‘low hanging fruit.’ We’re here to tell you that not all XSS are created equal.
This episode of Big Bugs examines the reason we’re experiencing XSS-Fatigue, some examples of high impact XSS bugs found in the wild, and resources for defenders and offenders.
Resources Mentioned in this Episode:
- Browser Exploitation Framework A.K.A. BeEF
- Bugcrowd VRT
- Bug Hunter’s Methodology Slideshow – Given originally at DEFCON 23
- Unleashing an Ultimate XSS Polyglot – Hack Vault
- Fuzzing Payloads with SecLists, compiled by myself and Daniel Meissler
- Sleepy puppy – helps identify Blind XSS
Other Useful Resources: