I am participating in bug bounty programs in the past several years (Apparently my activity on the bug bounty slowed down in the past two years), I was in fight with a lot of developers to convince them that they should fix self-exploit XSS vulnerability because of the discrimination they have against self-cross-site scripting.
However, in the past two years, several researchers demonstrate how to turn slef-xss vulnerability into Good XSS vulnerability and exploit them. These demonstrations give a bunch of insight for search research on how to exploit self-xss vulnerability by leveraging some trivial security issues. These for sure would help some developer to understand they should treat slef-exploit xss vulnerability more seriously.
By referring to a list of POCs for exploiting self-xss vulnerability
https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
https://medium.com/@bugbsurveys/self-xss-and-vol2-1b5049e59ae6
http://ashishpathaksec.blogspot.com/2015/06/how-i-convert-self-xss-into-stored-xss.html
http://www.ninoishere.com/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/
- CSRF : Login and Logout the victim
- IFrame : Frame the page to abtain useful information of the victim
- CSP absue : Keep part of the victim’s Session by using CSP rule
- X-Frame-Options: Abuse same-origin policy. Top window has access to the iframe information, which allows an attacker to get the useful inforamtion, such as CSRF tokens.
To summarize if up, here is the steps to exploit self-xss vulnerability
Step 1: Attacker Login and plant XSS codes
Step 2: Vitcm to loign to attacker’s acount via CSRF
Step 3: Victim execute the XSS codes
Step 4: XSS codes got performed in the Iframe. This steps could be tricky it all depends of how the authentication process is implemented. The steps will involve how to switch the victim to Login to their own accounts by using iframe.s