Sometime back, I was testing a private site where I was able to execute an XSS attack. By leveraging the initial XSS, I managed to steal a CSRF token, bypass CSRF protections, and make an XHR request, which led to another XSS vulnerability on a different endpoint. By chaining both XSSes, I gained the ability to execute JavaScript remotely from the attacker's control panel (mine).
Using Node.js, I delivered malicious commands from my control panel to the target’s browser. This allowed me to steal credentials, capture keystrokes, change security questions, reset passphrases, and more—effectively locking the target out of their own account.
However, one key limitation was that the first XSS was a self-XSS, meaning the attacker had to trick the target into copying and pasting the payload. To achieve this, I used pastejacking.
Since I cannot show the real proof of concept, I have created a simulated attack by replicating the vulnerable site. While this replica is not fully functional like the real system, the attack flow remains the same, as demonstrated in the video below.