Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

This post intends to serve as a guide for a common bypass technique when you're up against a web application firewall (WAF). In the event that the WAF limits what tags and attributes are allowed to be passed, we can use BurpSuite's Intruder functionality to learn which tags are allowed. Table of Contents: Setting the…

XSS Web Security Lens

ZTWeb: Cross site scripting detection based on zero trust - ScienceDirect

CSP Bypass Guidelines - Brute XSS

Full article: Case Study: Extenuation of XSS Attacks through Various Detecting and Defending Techniques

JCP, Free Full-Text

Do NOT use alert(1) in XSS

Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes

Node.js Security: Preventing XSS Attacks

What is cross-site scripting (XSS)?, Tutorial & examples

How to Fix XSS Vulnerabilities on Web App Links - BreachLock

Firefox vulnerable to trivial CSP bypass

A pen tester's guide to Content Security Policy - Outpost24

Reflected XSS protected by very strict CSP, with dangling markup attack (Video solution, Audio)