csgoroll.com self-xss tip victim's wallet to yourself

[SernterxErer]

Hey guys, I lurked around the CS:GO site 

Please Login or Register to see this Hidden Content

 and found out that they had a tip system. I sniffed the traffic to analyze the api and I realized that you just needed to do a simple post request with your authentication cookie to tip a user your desired amount of "coins".

I then created this self-xxs script that does the following:
If this script gets executed by a user, the script will first send a get request to the server to get the user's info. From that info, we extract the user's current wallet balance and use that in the post request telling the server to tip "xxxxxx"¹ ( your userID or to who you want to tip them). 

1. ^{If you don't know how to manipulate the script to show your userID, pm me and I can help you out.}  

The way we can make the request valid is to get the victims authentication cookie. We easily do this by calling:

Please Login or Register to see this Hidden Content

Here is the finished script using jquery:

Hidden Content
You'll be able to see the hidden content once you reply to this topic or

Please Login or Register to see this Hidden Content

.

I tried to make it somewhat small, but I guess some here can make it even "tidyer".

EDIT: Too lazy to respond to everyone who cannot find their id;

Hidden Content
You'll be able to see the hidden content once you reply to this topic or

Please Login or Register to see this Hidden Content

.

Edited by SernterxErer, 02 August 2017 - 03:42 AM.

[neomaking]

Looks funny, I need to take a look myself

[pruned_34697817]

thanks for the share, getting on it

[Drkwn]

Seems interesting, worth a look i guess.

[GuurBuur]

tnx

[Vezuure]

nice

[pruned_67678926]

thx for this

[pruned_13921652]

ty

[venom777]

ty

[dannyaramayo]

ty