Getting Your XSS to Work


Getting Your XSS to Work

Turning self XSS to reflected

The most common security bug found on the web is of course cross site scripting. Most organizations underestimate the risk of XSS especially when they think it’s only a self XSS.

So let’s start by looking at some payloads for testing XSS

Personally I use Burp Suite or one of the many tools that are found online to test for XSS (BruteXSS, xsser, etc…).

You just check if your input is reflected somewhere in the response unsanitized or check if some of it is reflected unsanitized.

For testing payloads you have my own list shared on github:

XSS payloads list

Or You can use the awesome XSS cheat sheet published by Brute.

After doing your own tests on the website you should have a good list of possibly valid XSS so you continue digging and verify it manually (use Firefox for it as chrome has built in XSS protection).

You should be familiar with XSS types (reflected, stored, DOM based) also you should be familiar with self XSS which can be one of the 3 types but only affects your own user.

When you find this type of XSS that can’t be used to trick someone else’s user you should check if you can convert it into good XSS and in most cases you can.

Case #1

You find a self XSS in POST request

Check if this POST request can be turned into GET request, a useful Firefox plugin to do this is Web Developer.


Which will turn it into a good reflected XSS.

Case #2

You find a self XSS in a POST request

Check if it’s directly vulnerable to CSRF, Using the CSRF you can make a user submit the POST request using your preset parameters including the malicious payload. Which can initiate the XSS (You can test this using ZAP Anti-CSRF Test Form).


Case #3

You find a self XSS stored in your account in a website but can’t affect but the user of your account.

Check if that website is vulnerable to login/logout CSRF, you can induce a user to logout then login to your account and get affected by the XSS you stored there.


Always go all the way in trying to turn self XSS to Good XSS and try to follow how other hackers do it you will be amazed how often it happens.