Skip to content
JS Console Self XSS Warning Script
Profile icon
has Hacker Plan

Have you ever been onto the JS web console and seen a warning like this?
Well, they protect users (Smart ones) against Self XSS Attacks, these attacks get user's credentials or take other information from their account.

This is common because to steal a user's access token, all you need to paste most of the time is one line that sends the users cookies to the attacker. Facebook has a similar warning because when one person does this, their account will often start spamming out a message to PASTE THIS IN YOUR CONSOLE NOW AND GET FREE STUFF!.

Us as developers, who know about this, need to take responsibility and prevent this on our websites. If your website has anything sensitive or malicious that a user can do, then I highly recommend adding a warning.

I have made it so simple for you all to add, since it only requires one line added to the HTML:

<script src=""></script>

All this does is log some scary messages in the console like so:


Here is an example of self XSS, less malicious, running the code below, will upvote this talk post, it's probably better if you just click the button:

fetch("",{headers:{accept:"*/*","accept-language":"en-GB,en-US;q=0.9,en;q=0.8,es-US;q=0.7,es;q=0.6","content-type":"application/json","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-requested-with":"XMLHttpRequest"},referrer:"",referrerPolicy:"no-referrer-when-downgrade",body:'{"operationName":"createPostVote","variables":{"postId":35362},"query":"mutation createPostVote($postId: Int!) {\\n createPostVote(postId: $postId) {\\n id\\n post {\\n ...PostVoteControlPost\\n __typename\\n }\\n user {\\n ...PostVotesUser\\n __typename\\n }\\n __typename\\n }\\n}\\n\\nfragment PostVoteControlPost on Post {\\n id\\n voteCount\\n canVote\\n hasVoted\\n __typename\\n}\\n\\nfragment PostVotesUser on User {\\n id\\n ...DepreciatedUserLabelWithImageUser\\n __typename\\n}\\n\\nfragment DepreciatedUserLabelWithImageUser on User {\\n id\\n image\\n ...DepreciatedUserLabelUser\\n __typename\\n}\\n\\nfragment DepreciatedUserLabelUser on User {\\n id\\n image\\n username\\n url\\n karma\\n __typename\\n}\\n"}',method:"POST",mode:"cors",credentials:"include"});


You are viewing a single comment. View All
Profile icon

Now, you just need to create an normal XSS checker!

Profile icon

google patches that stuff