Sometime back I was testing a private site where I was able to execute an XSS. By using the previous XSS I managed to steal CSRF token to bypass CSRF and made an XHR request which leads to another XSS in a different endpoint. After chaining both XSSes It allowed me to execute javascript remotely from the attacker’s control panel(Mine). I used nodejs to deliver my malicious commands from the control panel to the target’s browser. I could even steal credentials, any keystrokes, change whole security questions, passphrase and what not of the target. So, that target won’t be able to get their account back but to execute this all there was one dependency, the first XSS was self XSS. To make it workable, the attacker must have to trick target to copy-paste my payload for which I used pastejacking.

I can’t show you real proof of concept. So, To simulate the attack I made a replica of that site which is not functionally as same as a real system but the attack flow was similar as shown in the video.