How to turn Self-XSS into Good XSS

I am participating in bug bounty programs in the past several years (Apparently my activity on the bug bounty slowed down in the past two years),  I was in fight with a lot of developers to convince  them that they should fix self-exploit XSS vulnerability because of the discrimination they have against self-cross-site scripting.

However, in the past two years,  several researchers demonstrate how to turn slef-xss vulnerability into Good XSS vulnerability and exploit them.  These demonstrations give a bunch of insight for search research on how to exploit self-xss vulnerability by leveraging some trivial security issues.  These for sure would help some developer to understand they should treat slef-exploit xss vulnerability more seriously.

By referring to a list of POCs for exploiting self-xss vulnerability

https://whitton.io/articles/uber-turning-self-xss-into-good-xss/

https://medium.com/@bugbsurveys/self-xss-and-vol2-1b5049e59ae6

http://ashishpathaksec.blogspot.com/2015/06/how-i-convert-self-xss-into-stored-xss.html

http://www.ninoishere.com/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/

  1.  CSRF             :    Login and Logout the victim
  2.  IFrame         :    Frame the page to abtain useful information of the victim
  3.  CSP absue   : Keep part of the victim’s Session by using CSP rule
  4. X-Frame-Options: Abuse same-origin policy. Top window has access to the iframe information, which allows an attacker to get the useful inforamtion, such as CSRF tokens.

To summarize if up,  here is the steps to exploit self-xss vulnerability

Step 1:   Attacker Login and plant XSS codes 

Step 2:  Vitcm to loign to attacker’s acount via CSRF

Step 3:  Victim execute the XSS codes

Step 4:  XSS codes got performed in the Iframe.   This steps could be tricky it all depends of how the authentication process is implemented.  The steps will involve how to switch the victim to Login to their own accounts by using iframe.s

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *