Puneet Varma (Editor)

Self XSS

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

Self-XSS is a social engineering attack used to gain control of victims' web accounts. In a self-XSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker.

Contents

Overview

Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.

History and mitigation

In the past, a very similar attack took place, in which users were tricked into pasting malicious JavaScript into their address bar. When browser vendors stopped this by preventing easily running JavaScript from the address bar, attackers started using Self-XSS in its current form. Web browser vendors and web sites have taken steps to mitigate this attack. Mozilla Firefox and Google Chrome have both begun implementing safeguards to warn users about self-XSS attacks. Facebook and Google+ now display a warning message when users open the web developer console, and they link to pages explaining the attack in detail.

Etymology

The "self" part of the name comes from the fact that the user is attacking himself or herself. The "XSS" part of the name comes from the abbreviation for cross-site scripting, because both attacks result in malicious code running on a legitimate site. However, the attacks don't have much else in common, because XSS is an attack against the website itself, whereas self-XSS is a social engineering attack against the user.

References

Self-XSS Wikipedia