Turning Self-xss into Good XSS

The researcher discovered a classic self-XSS in the Uber Partners portal, where user-supplied data in profile fields was not sanitized, allowing execution of arbitrary JavaScript (e.g., alert(document.domain);<\\/script>). On its own, this only impacted the user's own account, as the field was only visible to them. However, by chaining two Cross-Site Request Forgery (CSRF) vulnerabilities in the OAuth login and logout flows, the researcher escalated the self-XSS to target any user. The attack involved: - Forcing a victim to log out of their Uber Partners session but not their OAuth session (via CSP tricks), - Logging the victim into the attacker's account (so stored XSS payload executes), - Then automatically logging the victim back into their own account, with the attacker's code running in a privileged context. This allowed the attacker to execute scripted actions on behalf of the victim. Notably, this chain demonstrated how self-XSS, often initially dismissed as low-impact, can lead to full account compromise when combined with business logic flaws in authentication and session management. The combination implicated real-world risk for session hijacking and data exfiltration. Key points: - Initial self-XSS in the user profile field. - Two minor CSRFs in OAuth login/logout flow allow complete attack automation. - Session switching and CSP tricks bypass normal defensive controls. This summary was partly generated by AI