Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

This post intends to serve as a guide for a common bypass technique when you're up against a web application firewall (WAF). In the event that the WAF limits what tags and attributes are allowed to be passed, we can use BurpSuite's Intruder functionality to learn which tags are allowed. Table of Contents: Setting the…

CSP and Bypasses

XSS: Beating HTML Sanitizing Filters - PortSwigger

Bypassing modern XSS mitigations with code-reuse attacks - Truesec

WSTG - Latest OWASP Foundation

Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

What are some ways of protecting against cross-site scripting (XSS) injection through cookies? - Quora

Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

What is cross-site scripting (XSS)?, Tutorial & examples

Understanding XSS Attacks

XSS Attacks - Exploits and Defense by Reynaldo Mota - Issuu

Do NOT use alert(1) in XSS

Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP), Articles

A pen tester's guide to Content Security Policy - Outpost24