Hello World, while Doing Bug Bounty Hunting i came accross some Special XSS Cases. In this blog Post i will write about them.

1) XSS That Works only in mobile Devices

Recently i was hunting on a program and testing parameters for XSS and that website has a strong waf since it is a banking related website

  • All tags are blocked and mostly all event handlers are blocked, i tried bypassing the waf and was about to give up.

  • I noticed normal strings like FUZZ are beign reflected but whenever i use it with an event handler in the payload, i am getting blocked by the waf.

  • So i tried all eventhandlers from Portswigger Cheatsheet and only below event handlers gave a response of 200 OK


Using them in the payload like this didn’t pop any alert, after googling about these eventhandlers a bit, i understood that these event handlers only work with mobile devices.


The developers blocked all event handlers but not mobile event handlers. Using Toggle Device Toolbar in the chrome dev tools, we can simulate the mobile device environment, so i quickly changed that and clicking on name field popped an alert with cookies

2) XSS in Hidden Input

You might be already familier with this one. But i didn’t knew about this, until recently one of the target i was hacking on, was vulnerable to this

Portswigger has a good blog post -> Xss in Hidden Input Fields

[+] I will keep updating this blog post when i found any interesting cases of xss. If you know any ping me on twitter. I will add them here and give you credits

That's it for now. Cheers !!! Happy Hacking :)