[Duplicated] Self-XSS & CSRF attack lead to Stored XSS
![Image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFDniDEwR-Q93bfTuxWJrOqgyXWFxGjuleYtjbYraciRx85IHq8c1pixrL7RNLD8sY8ocx-ayHkkhKp-ST_sZNFFSaCR-6sz_g54jL06vcfisSioMfiiIfmgVrGBNGcIAI_39W6T18wug/s640/xss.png)
Hi guys it's me Flex, in this post I will share a new vulnerability on a private program let's call it `example.com` the vulnerability was a Self-XSS with CSRF attack which leads to Stored XSS. The story of the discovery the target is a shop website when I test the function to add a product I start adding my lovely XSS payload <svg/onload=alert(0)> everywhere and one of them these fields work and give me a pop-up because the input was wrong to the field and the website tells me that this value is wrong so it is a self-XSS I tried to find Clickjacking to make it exploitable but there is no way with clickjacking, after some minutes I tried to find a CSRF attack so I opened my Burp and catch the change request and I notice that there is no CSRF-Token or any CSRF protection so I tried to exploit this two bugs together to get the Stored XSS, the body of the edited request was like that {"basePage":{"draftIds":["victim_id"],"