After reading about the different kinds of XSS, and how a malicious user injects a payload to attack a user, can you imagine a user who auto-executes an XSS to hack the user. Well, this is the case of the self XSS.

In simple terms, a user copies and pastes the malicious string and executes the XSS to himself, being susceptible to lose sensitive information like cookies, sessions, and so on.

This vulnerability was considered without risk, because why would a user do that? But in 2017, the bug bounty hunter Mathias Karlsson showed different vectors where these attacks could be successfully exploited. If you want to see more about that, you can see the presentation Self XSS we're not so different you and I on YouTube (https://www.youtube.com/watch?v=l3yThCIF7e4).