Real world report PoCs

You can read these real world XSS PoCs to better understand how the bug is exploited in the real world scenarios

• AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy

• Uber Self XSS to Global XSS

• How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow

• Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities by Brett

• XSSI, Client Side Brute Force

• postMessage XSS Bypass

• XSS in Uber via Cookie by zhchbin

• Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans

• XSS due to improper regex in third party js Uber 7k XSS

• XSS in TinyMCE 2.4.0 by Jelmer de Hen

• Pass uncoded URL in IE11 to cause XSS

• Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov

• Microsoft XSS and Twitter XSS

• Google Japan Book XSS

• Flash XSS mega nz – by frans

• Flash XSS in multiple libraries – by Olivier Beg

• xss in google IE, Host Header Reflection

• Years ago Google xss

• xss in google by IE weird behavior

• xss in Yahoo Fantasy Sport

• xss in Yahoo Mail Again, worth $10000 by Klikki Oy

• Sleeping XSS in Google by securityguard

• Decoding a .htpasswd to earn a payload of money by securityguard

• Google Account Takeover

• Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach

• RPO that lead to information leakage in Google by filedescriptor

• God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton

• Three Stored XSS in Facebook by Nirgoldshlager

• Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen

• An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton

  • he is able to make stored XSS from a irrelevant domain to main facebook domain

• Stored XSS in *.ebay.com by Jack Whitton

• Complicated, Best Report of Google XSS by Ramzes

• Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek

• Command Injection in Google Console by Venkat S

• Facebook’s Moves – OAuth XSS by PAULOS YIBELO

• Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos

• Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)

• Yahoo Mail stored XSS by Klikki Oy

• Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa

• Youtube XSS by fransrosen

• Best Google XSS again – by Krzysztof Kotowicz

• IE & Edge URL parsin Problem – by detectify

• Google XSS subdomain Clickjacking

Reference: https://whoami.securitybreached.org/2019/06/03/guide-getting-started-in-bug-bounty-hunting/