XSS on a input hidden field

…where you have the input sanitized for ‘<> chars. I come across a web application on a bounty program where the returnurl was placed in the following HTML: [code language=”html”]<input type="hidden" name="returnurl" value="[USER INJECT]" />[/code] The security filter removed <>’ chars but kept the double quote active and reflected. What’s the first thing that comes… Continue reading XSS on a input hidden field