A security researcher chained stored iframe injection with CSRF to achieve account takeover by injecting a malicious iframe into a discussion forum that, when loaded by an admin, silently executed a CSRF attack to change the victim's email address. The attack exploited HTML injection in the reply feature combined with an unprotected email change endpoint.
A writeup demonstrating how to chain Self-XSS with CSRF to escalate into Stored XSS by crafting a malicious form that exploits a name-change endpoint lacking CSRF protection, allowing arbitrary JavaScript execution when victims visit the attacker's page.
A writeup demonstrating how chaining self-XSS with clickjacking (UI redressing) via missing X-Frame-Options header can achieve session hijacking by stealing victim cookies through a drag-and-drop PoC that executes malicious JavaScript on the victim's browser.