Cross Site Scripting for Fun: PasteJacking

Hi Everyone,

A few weeks ago I found an issue which initially looks like unexploitable, it was Self XSS again, this time in Search Box where users can search for books/documents, XSS get triggered once we type/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by WAF at the backend, so only way to trigger XSS was AutoSuggestion feature which only can be done by user himself, so we cant do anything fancy here like THIS.

Possible Exploitation?

Chaining this with ClickJacking, Right? I was lucky enough as the application had a strange behavior where they set X-Frame-Options for the non-authenticated users but not for authenticated users.

TIP: Look for those headers on every part of the application.

So I checked all the possible and more convening ways to chain this, and here are some ways we can do it.

  • Copy Paste
  • Drag and Drop
  • PasteJacking

Copy Paste:

In this, we simply ask the victim to copy paste the payload from our hosted page to framed page, which is not quite convincing.

Drag and Drop:

In this, we can hide our payload behind images or anything are convince the victim to drag and drop the object to the framed page, which is good vector indeed but didn’t work in my case, as typing or pasting is the only way to trigger the XSS.


  3. Python script to generate POC for Drag and Drop XSS.


This is what I used to for my submission which is quite convincing for me, here we can control the clipboard of victim via JavaScirpt, and once he copied the object which can be anything, the attacker can set anything on the clipboard of the victim, so I used to set as XSS payload.



So I decided to choose PasteJacking to exploit this Self-XSS and this how it looks like


TIP: You can use: for framing/slicing desired section of the page.

Poc Code:


For exploiting issues similar to this, the application should be vulnerable for the ClickJacking.

Do let me know in comments if you exploited similar issues in more interesting ways, for any query comment or twitter it, and yes don’t copy paste blindly anything from the internet.