From what origin was the window opened does not affect same-origin policy. And the origin of the window itself is the target's origin, since that's where we have self-xss

Yeah and the backend should completely ignore the amount of injectable arbitrary code to trigger such complex self-xss. Might be easier to just setup a i.e. BeEF hook.

When you're at the level Matan is at, that how you stand out from other hackers - you're able to exploit edge cases others can't.

Only login csrf is enough If I understand

Yes, if your payload is reflected from the URL, you don't need the victim to be logged in to your account

Yeah self xss is usually stored. This bug seems like it has a few requirements but still I'm going to search for a writeup when Im done watching for sure

@@BugBountyReportsExplained Yes, there is also the case where it's dom based self-xss (not reflected DOM-based). So basically you input something in the page and it executes (self-XSS), but it doesn't get stored for other users. This is pretty rare, but the self-XSS case I recently ran into, and that I had in mind when I started watching this video. I can provide an example if I didn't explain that well. Great content. Cheers!

Your barely ever exploit an xss by stealing session cookie because it's usually HttpOnly. But you can still read data and send requests as the victim

@@BugBountyReportsExplained ok now that's clear, thanks!

It is different and more complex than bitK technique but that's unecessary complex. Dont get me wrong, this is an awesome technique and this young man has just a crazy skill, better than most of hackers out there. Thank you for sharing this technique!!!

In 1/3 of the video, we're talking about the conventional way to exploit self-XSS which only affects confidentiality and not integrity plus you have to be on the same origin. With this technique, you can also affect integrity plus you only need to be on the same site, not same origin which means you can also exploit exotic subdomains without needing CORS.

@@BugBountyReportsExplained Yeah, you're right!! I just watched the second part, and I had to play it a second time to fully grasp the concept and its impact!

Yes, and in that case you can also skip a lot steps in the attack by just setting the attacker’s session cookies with a specific path using your XSS

I described it some time ago on BBRE Premium: members.bugbountyexplained.com/little-known-technique-to-exploit-self-xss-with-a-serious-impact/

I think if you have a csrf there you can inject it to the victim acc

@@N4G_Arthur do you have any video or blog post explain that

reach out to Matan or me and we'll see what we can do

Plz Make a practical video😊​@@BugBountyReportsExplained

@@m0zA369 lol that's literally what this video is about ^^

I surely will

Poland

Israel

Matan is from Israel

🧐

I'm not planning to. It's a client-side attack so you can fairly easily play with it in DevTools