If you are looking at an XSS within a hidden input this post may help you with a proof of concept.
The first way of getting that proof of concept is from an article posted in the PortSwigger blog. https://portswigger.net/blog/xss-in-hidden-input-fields.
The browser ignores the JavaScript events such as onclick and onmouseover. So the context of execution is limited to using access keys using the following payload.
accesskey="X" onclick="alert('xss')"
And after the page loads successfully we will need to use the following key combinations to get the Alert box.
(Press ALT+SHIFT+X on Windows) or (CTRL+ALT+X on OS X)
This makes it tricky for a clean proof of concept without requiring user interaction.
Naturally the next step was to reduce this to a single click. Digging deeper, i came across an old chrome bug that explained how “type” can be overridden. You can read this in detail here, https://bugs.chromium.org/p/chromium/issues/detail?id=585077. This works well even with the most recent version of chromium browser. There is another technique in there which works with IE 11 as well.
Although there is no alert box here, you have easily managed to let the victim’s browser to include an attacker hosted JavaScript. This could be something like a beef hook, which can easily do a lot more than an alert box or stealing cookies. 🙂
Breaking application security 