Posts

API calls and requests for resources can sometimes be diverted toward a different endpoint on the same host, potentially resulting in DOM XSS’s that would otherwise be impossible to trigger, or other types of client-side vulnerabilities.

Using hashchange events to control a vulnerable page and escalate an otherwise mostly harmless DOM XSS.

Bypassing CSP and SRI with HTML injection and DOM Clobbering.