A New Attack method called “XSSJacking” a type of Web application Clickjacking, Pastejacking and Self-XSS Web application based Attack Discovered by the Security Researcher Dylan Ayrey.

While Clickjacking vulnerability existing in particular page, this attack will trigger Self-XSS.

“Self–XSS is a social engineering attack used to gain control of victims’ web accounts.In a self–XSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker“

Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

How “XSSJacking” Works

Researcher Explained About the “XSSJacking”,

Pastejacking

We Testing this vulnerability by “Pastejacking Attack” that allow to victim copy the email address instead of typing and past it in the Test forum registration page, you place an “Enter your email” field and a “Retype your email” field.

Most of the people, “copy-paste it in the second field” unknowingly malicious website has appended malicious code after his copy-paste text and inserted it into his Good Website settings page.

“After the copy, the contents of their clipboard get overwritten with <script>alert(1)</script>

This method can be combined with a phishing attack to entice users into running seemingly innocent commands.

The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal, researcher Said

XSSJacking attacks, a malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), to steal profile details, or perform other malicious actions.

“XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves,” Ayrey said.

Also Read: