XSS-Resources

This is a quick list of XSS resource I refer to often.

I've organised research by year to help give a better understanding of how various techniques have evolved over the past few years.

Structured learning resources

• PortSwigger Web Security Academy

XSS challenges, exercises and CTFs etc

• PortSwigger XSS Labs
• PwnFunction challenges
• Google CTF (Various years)
• Google XSS Game
• Google Firing Range
• alf.nu - Alert(1) to win

XSS payloads and cheatsheets

• PortSwigger XSS Cheatsheet
• PortSwigger XSS Cheatsheet - PDF version
• terjanq - Tiny XSS Paylods

Bypasses

• SecJuice - Arithmetic Operators and Optional Chaining

Research - by year (Original published date)

This lists interesting XSS related research published over the past few years.

2020

• Google - Prevent DOM XSS with Trusted Types
• Gareth Heyes - Evading defences using VueJS script gadgets
• Gareth Heyes - Bypassing DOMPurify again with mutation XSS
• terjanq - Arbitrary Parentheses-less XSS
• Michał Bentkowski - Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass
• Daniel Santos - From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass

2019

• Gareth Heyes - XSS without parentheses and semi-colons
• Michał Bentkowski - Write-up of DOMPurify 2.0.0 bypass using mutation XSS
• Michał Bentkowski - Security analysis of <portal> element

2017

• Google - Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets
• Google - Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets (Youtube version)
• Gareth Heyes - DOM based AngularJS sandbox escapes
• Gareth Heyes - Abusing JavaScript frameworks to bypass XSS mitigations

2016

• Gareth Heyes - Bypassing CSP using polyglot JPEGs
• Gareth Heyes - XSS without HTML: Client-Side Template Injection with AngularJS

2013

• Cure53 - mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations