GITBOOK-4361: No subject

pentesting-web/xss-cross-site-scripting/README.md

@@ -817,6 +817,28 @@ There is **JS code** that is using **unsafely data controlled by an attacker** l
 There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.\
 Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
 
+### Upgrading Self-XSS
+
+### Cookie XSS
+
+If you can trigger a XSS by sending the payload inside a cookie, this is usually a self-XSS. However, if you find a **vulnerable subdomain to XSS**, you could abuse this XSS to inject a cookie in the whole domain managing to trigger the cookie XSS in the main domain or other subdomains (the ones vulnerable to cookie XSS). For this you can use the cookie tossing attack:
+
+{% content-ref url="../hacking-with-cookies/cookie-tossing.md" %}
+[cookie-tossing.md](../hacking-with-cookies/cookie-tossing.md)
+{% endcontent-ref %}
+
+You can find a great abuse of this technique in [**this blog post**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html).
+
+### Sending your session to the admin
+
+Maybe an user can share his profile with the admin and if the self XSS is inside the profile of the user and the admin access it, he will trigger the vulnerability.
+
+### Session Mirroring
+
+If you find some self XSS and the web page have a **session mirroring for administrators**, for example allowing clients to ask for help an in order for the admin to help you he will be seeing what you are seeing in your session but from his session.
+
+You could make the **administrator trigger your self XSS** and steal his cookies/session.
+
 ## Other Bypasses
 
 ### Normalised Unicode