Self-XSS Bypass
CSRF In Login
Search for csrf in login and now attacker force the victim to login ton his account be affected with the js execution
fetchLater()
SOME (Same-Origin Method Execution)
Bypass Self-XSS via SOME: Short Steps w/ Code Blocks
Setup: Self-XSS in profile (e.g., dashboard). Victim (bot/admin) visits your link. Goal: Leak sensitive data (e.g., API key from /api/me) via window.opener chain. Host exploit on attacker.com.
Step 1: Confirm Self-XSS
Inject in profile name:
Triggers only on your dashboard → Vulnerable to escalation.
Step 2: Build Parent Page A (exploit.html on attacker.com)
Opens child (your XSS page), redirects to sensitive endpoint.
Step 3: Build Child Payload B (Inject in self-XSS)
Waits for parent load, CSRF login (to your acct), steals via opener. Add 100-200ms delay.
Step 4: Deliver & Trigger
Victim visits
attacker.com/exploit.html.Flow: A opens B (XSS fires) → A loads
/api/me→ B steals & exfils (base64 via btoa).
Step 5: Handle Multi-Step (e.g., Confirmations)
Spawn extra window (Window 3) for chaining clicks:
Tips: Same-origin only. Use Burp/SOMEtime plugin to scan JSONP callbacks. Mitigate: Static callbacks, no JSONP.
CORS + Self-XSS to ATO Checklist
Got Self-XSS?: Confirm self-XSS vulnerability.
Check CORS Misconfig: Run
cat corstexturl.txt | CorsMeorcat corstexturl.txt | soru -u | anew | while read host; do curl -s --path-as-is --insecure -H "Origin: test.com" "$host" | grep -qs "Access-control-allow-origin: test.com" && echo "$host \033[0;31m cors Vulnerable"; done.Exploit CORS: Replace XSS payload with:
References
Last updated
Was this helpful?