XSS

When a browser is rendering HTML and any other associated content like CSS, javascript, etc. it identifies various rendering contexts for the different kinds of input and follows different rules for each context. A rendering context is associated with the parsing of HTML tags and their attributes. The HTML parser of the rendering context dictates how data is presented and laid out on the page and can be further broken down into the standard contexts of HTML, HTML attribute, URL, and CSS. The JavaScript or VBScript parser of an execution context is associated with the parsing and execution of script code. Each parser has distinct and separate semantics in the way they can possibly execute script code which make creating consistent rules for mitigating vulnerabilities in various contexts difficult. The complication is compounded by the differing meanings and treatment of encoded values within each subcontext (HTML, HTML attribute, URL, and CSS) within the execution context.

• https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
• Building Advanced XSS Vectors
• UNDERSTANDING XSS AUDITOR
• A comprehensive tutorial on cross-site scripting
• Writeup about XSS puzzler
• Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users
• XSStrike is a program which can crawl, fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs
• Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing
• Stored XSS on Facebook wall by embedding an external video with Open Graph
• From PNG tEXt to Persistent XSS
• Polyglot payloads
• XSS Polyglot Challenge v2
• Awesome XSS
• XSS-Auditor — the protector of unprotected
• Intigriti XSS Challenge - Solution and problem solving approach
• XSS cheat sheet
• HackMD Stored XSS and HackMD Desktop RCE
• Microsoft Edge - Universal XSS
• Remote Code Execution in Firefox beyond memory corruptions
• Microsoft Edge (Chromium) - EoP via XSS to Potential RCE
• Redefining Impossible: XSS without arbitrary JavaScript
• XSS in the AWS console
• Tiny XSS Payloads
• alert() without letters or numbers

RPO

It stands for relative path overwrite.

• First article about it
• RPO gadgets