Skip to content
← Back to Community
JS Console Self XSS Warning Script
Profile icon
hacker
has Hacker Plan
PixelNinja

Have you ever been onto the JS web console and seen a warning like this?
image
Well, they protect users (Smart ones) against Self XSS Attacks, these attacks get user's credentials or take other information from their account.

This is common because to steal a user's access token, all you need to paste most of the time is one line that sends the users cookies to the attacker. Facebook has a similar warning because when one person does this, their account will often start spamming out a message to PASTE THIS IN YOUR CONSOLE NOW AND GET FREE STUFF!.

Us as developers, who know about this, need to take responsibility and prevent this on our websites. If your website has anything sensitive or malicious that a user can do, then I highly recommend adding a warning.

I have made it so simple for you all to add, since it only requires one line added to the HTML:

<script src="https://xss.hex.run/"></script>

All this does is log some scary messages in the console like so:

image

Here is an example of self XSS, less malicious, running the code below, will upvote this talk post, it's probably better if you just click the button:

fetch("https://repl.it/graphql",{headers:{accept:"*/*","accept-language":"en-GB,en-US;q=0.9,en;q=0.8,es-US;q=0.7,es;q=0.6","content-type":"application/json","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-requested-with":"XMLHttpRequest"},referrer:"https://repl.it/talk/share/JS-Console-Self-XSS-Warning-Script/35362",referrerPolicy:"no-referrer-when-downgrade",body:'{"operationName":"createPostVote","variables":{"postId":35362},"query":"mutation createPostVote($postId: Int!) {\\n createPostVote(postId: $postId) {\\n id\\n post {\\n ...PostVoteControlPost\\n __typename\\n }\\n user {\\n ...PostVotesUser\\n __typename\\n }\\n __typename\\n }\\n}\\n\\nfragment PostVoteControlPost on Post {\\n id\\n voteCount\\n canVote\\n hasVoted\\n __typename\\n}\\n\\nfragment PostVotesUser on User {\\n id\\n ...DepreciatedUserLabelWithImageUser\\n __typename\\n}\\n\\nfragment DepreciatedUserLabelWithImageUser on User {\\n id\\n image\\n ...DepreciatedUserLabelUser\\n __typename\\n}\\n\\nfragment DepreciatedUserLabelUser on User {\\n id\\n image\\n username\\n url\\n karma\\n __typename\\n}\\n"}',method:"POST",mode:"cors",credentials:"include"});

STAY SAFE!

Voters
Profile icon
almostStatic
Profile icon
Loganjackson06
Profile icon
SixBeeps
Profile icon
AtticusKuhn
Profile icon
PixelNinja
Comments
hotnewtop
Profile icon
xxpertHacker

Why did you make that look so complicated instead of a simple console.log()?

Profile icon
SixBeeps

@StudentFires
It makes it bright and flashy so that it captures the user's attention.

Profile icon
AmazingMech2418

Now, you just need to create an normal XSS checker!

Profile icon
StudioHawaii

@AmazingMech2418
google patches that stuff

Profile icon
AmazingMech2418

Just so you know, you do not need body-parser for this. Also, you could do it without Express even by using the HTTP module. This would just reduce dependencies and allow this to not take as much space up.

Profile icon
PixelNinja