A bug bounty hunter demonstrates chaining self-XSS to blind XSS in an admin panel via HTML entity encoding bypass, then discovers a reflected XSS on an undiscovered subdomain using KNOXSS payload analysis, earning $700 total. The writeup focuses on practical payload techniques and methodology rather than detailed technical analysis.
A researcher escalated a self-XSS vulnerability on Uber's Partners portal into a cross-user XSS attack by chaining three separate issues: leveraging missing CSRF protection in the OAuth login flow and logout endpoint, combined with CSP manipulation and iframe-based session hijacking to execute arbitrary JavaScript in a victim's context and exfiltrate sensitive data.
A researcher demonstrated how to escalate self-XSS into non-self stored XSS on PayPal's Technical Support and Brand Central portals by exploiting inadequate file content validation (allowing malicious SVG files) and authorization issues that permitted unauthenticated users to submit tickets to registered accounts. The vulnerability enabled attackers to inject malicious scripts that would execute when support staff or authorized users accessed the tickets.
A beginner bug bounty hunter discovered a Self-XSS vulnerability in Amazon's developer.amazon.com where Security Profile names were reflected in source code, which they escalated to a logout CSRF issue. The vulnerability was reported, triaged, and fixed within a week, though no monetary reward was offered per Amazon's policy.
A researcher chained an AngularJS template injection self-XSS vulnerability with a misconfigured OAuth implementation that failed to validate the presence of the state parameter, allowing them to connect an attacker's Dropbox account to victim accounts and import malicious files containing XSS payloads, resulting in stored XSS execution.
A writeup demonstrating how to chain Self-XSS with CSRF to escalate into Stored XSS by crafting a malicious form that exploits a name-change endpoint lacking CSRF protection, allowing arbitrary JavaScript execution when victims visit the attacker's page.
A self-XSS vulnerability discovered on Indeed.com's job alert creation feature where injected JavaScript (via img onerror handler) could execute in the user's browser and steal cookies. The author documents their first bug bounty experience, including lessons learned about proper vulnerability reporting and escalation.
A writeup demonstrating how chaining self-XSS with clickjacking (UI redressing) via missing X-Frame-Options header can achieve session hijacking by stealing victim cookies through a drag-and-drop PoC that executes malicious JavaScript on the victim's browser.
A bug bounty hunter discovered a stored XSS vulnerability on m.uber.com that could be chained with an arbitrary cookie installation vulnerability on business.uber.com to steal oauth2 tokens and compromise any logged-in Uber user's account. The exploit involved injecting malicious cookies via unsanitized server responses and using the XSS payload to extract sensitive authentication cookies from victims.
Researchers discovered and exploited a DOM XSS vulnerability in Tesla's forums (forums.tesla.com) via CKEditor's InsertHtml function, bypassing HTML filters with a crafted img tag payload to load arbitrary JavaScript and embed a DOOM game in the page. The vulnerability was a self-XSS with limited impact but demonstrated creative filter evasion techniques.
A self-XSS vulnerability in an application form was escalated to persistent XSS through clickjacking exploitation, leveraging the absence of X-Frame-Options headers to trick users into executing malicious JavaScript via an invisible iframe overlay.
A technique to escalate self-XSS in Moodle into full XSS against arbitrary users by exploiting double session cookies with different paths combined with login CSRF or impersonation functionality, allowing arbitrary JavaScript execution in victim context for full account compromise.
A bug bounty researcher discovered a technique to escalate a self-XSS vulnerability into a reflected XSS by encoding the malicious payload as a QR code, which bypassed client-side filtering and allowed automatic payload execution when scanned by victims without additional user interaction.
A writeup describing cookie-based XSS exploitation techniques including CRLF injection, XSS on subdomains, test file discovery, and MITM attacks to bypass self-XSS restrictions and achieve account takeover. The author shares a $2,300+ bounty case demonstrating how combining multiple vulnerabilities can escalate impact.
A writeup demonstrating how to escalate a self-stored XSS vulnerability in an account profile field to steal credentials from other users by injecting a phishing form via iframe and exfiltrating login data to an attacker-controlled server.
A researcher chained a self-XSS vulnerability with SMTP email injection to achieve stored XSS by crafting malformed emails via netcat that create new clients with XSS payloads in email fields, triggering when employees access client management pages.
A researcher discovered a bug chain combining Stored Self XSS with IDOR in a financial management application, exploiting an incremental ID vulnerability to inject XSS payloads into other users' supplier requests that would execute when victims deleted those requests.