Testing for existence of controls to prevent Self-XSS scam

Prevention against Self-XSS scam should be taken into account if the application is of high value, interconnected with multiple users through forum, messages and the like.

Below is one of screengrab of prevention tip from Facebook:

Sample Code: 
console.log("%cExtra Large Yellow Text with Red Background", "background: red; color: yellow; font-size: x-large");


  • https://developer.chrome.com/devtools/docs/console
  • http://getfirebug.com/wiki/index.php/Console.log
  • https://en.wikipedia.org/wiki/Self-XSS

Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console.[1] Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.


Popular posts from this blog

Bypassing referrer check with no script involved

Jumping out of Touch Screen Kiosks