Persistent XSS is Not Self-XSS

Participating in bounty programs the past few years I have seen a lot of discrimination against what has been dubbed Self Cross-Site Scripting (XSS). This is a version of XSS that can only be exploited by the victim due to either protection by the server or the method of attack is strictly client-side with no way for an attacker to force a victim to execute.

Lately I have seen programs state that they do not accept any form of self-XSS. I will give some scenarios to explain the various types of self-XSS, their impacts, and how they can be exploited to hopefully debunk some misconceptions that these are not vulnerabilities.

Scenario 1: DOM Based Self-XSS

Continue reading