Category
JavaScript / Browser
Client- and server-side JS bugs — mXSS, prototype pollution and path-copy gadgets, CSP bypass chains, DOM clobbering, Angular sinks, and Node module / inspector pivots.
Notes
28 totalAngular CSPT / Client-Side Path Traversal to Same-Origin Resources
Trick Angular's client-built fetch URL into requesting another same-origin resource via surviving path separators or matrix params.
bypassSecurityTrustHtml + [innerHTML] as the Final Angular Sink
Reach data into DomSanitizer.bypassSecurityTrustHtml() bound to [innerHTML] to disable Angular's sanitization.
DOM Clobbering to Hijack a Data Source or Callback
Inject named elements so JS reads attacker-controlled config or callbacks from document/form named properties.
Dynamic import() from a data: URL in Node
Deliver attacker JS through a data:text/javascript module specifier that comments out an appended suffix.
Event-Source Hijacking on a "Trusted" Iframe
Defeat e.source === iframe.contentWindow checks (without origin checks) by navigating the trusted frame to attacker content.
document.execCommand() as an HTML Sink
Use rich-text commands like insertHTML as explicit parser sinks when you control both command and value.
Exposed API Docs / README / JS Sources as Functional Oracles
Treat leaked docs, bundles, and operational endpoints as the shortest path to the intended primitive, not just enumeration.
IDNA / Fullwidth Unicode → CSP Injection + JS Breakout
Use fullwidth punctuation that IDNA normalization collapses into ASCII syntax inside a CSP header or inline JS string.
Image / JSON Upload Confusion Leading to Angular XSS
Upload a file that passes server image validation but is fetched as JSON by Angular, bridging server and client trust into XSS.
importmap / speculationrules as CSP Bypass Surfaces to Watch
Test unusual script types whose CSP handling has had browser-version-dependent corners when classic inline scripts are blocked.
Overly Permissive LIKE on Username during Password Reset
Abuse a WHERE username LIKE ? reset query with wildcards to match and reset the admin account.
Prototype-Inherited Secret Leak through LiquidJS sort_natural
Leak an inherited secret by observing how a LiquidJS sort filter orders attacker probe values around it.
Meta CSP in <head> + Nonce Theft + iframe.srcdoc Reparse
Inject a meta CSP, read an existing nonce, and reparse through iframe.srcdoc to turn a blocked inline script into an allowed one.
Missing await on bcrypt.compare() Makes Auth Always Truthy
Exploit if (bcrypt.compare(...)) without await — a Promise is truthy, so any password logs in.
mXSS through DOMPurify + JSDOM Reparse of a "Safe" Tree
Exploit the parser mismatch between server-side DOMPurify/JSDOM sanitization and browser reparsing of the serialized string.
Next.js / React Server Actions / React2Shell
Replay Server Action calls out of band to reach callable backend functions when IDs, serialization, and WAF behavior line up.
DevTools / Node Inspector Pivot via SIGUSR1
Open a Node process's inspector with SIGUSR1, then use the DevTools protocol to evaluate code in that process.
Obfuscated JS Auth — MD5 + XOR + Base64
Recover a client-side "secret" by beautifying obfuscated JS and reversing its transform stack offline.
OIDC Provider Takeover + JSONP Callback Injection
Point SSO at attacker-controlled OIDC metadata, and/or abuse a JSONP callback endpoint for browser-side code execution.
Parameter Pollution / Array Fields to Break SQLite Bind Logic
Send repeated/array fields so a Node app spreads them into SQLite params, distorting binding order or values.
postMessage HTML Injection
Send a message a receiver treats as trusted HTML because it skips strict origin and schema checks.
__proto__ / Inherited Property Exposure through Dynamic Routes
Probe routes that index objects by path key for inherited properties to reveal structure and prototype-pollution reachability.
Prototype Pollution / Path-Copy Gadget from Query String
Abuse a custom "copy a.b.c into x.y.z" parser as an arbitrary property write across the browser object graph.
Replacing the Security Sink (blacklist.includes) with a Useful Callable
Rebind the function the app already calls (e.g. blacklist.includes) to a more useful existing primitive instead of injecting new code.
SameSite=Lax Means Top-Level Navigation Sends the Cookie
Switch from iframe-based exfiltration to a top-level window so a SameSite=Lax cookie is actually sent.
Truthy / Falsy Logic Bug + Object.prototype.length Pollution
Flip a branch like (v ? 0 : v.length) by setting an inherited length through prototype pollution.
Turkish Unicode Bypass on execCommand("insertHTML")
Use locale-sensitive case folding (Turkish dotted I) so a lowercased command-name blacklist misses insertHTML.
Weak HTML Sanitizer / Case-Insensitive Event Handlers
Bypass blacklists that miss mixed-case event handlers, since HTML attribute names are case-insensitive in the browser.