Exploiting XSS in hidden input fields

If you are looking at an XSS within a hidden input this post may help you with a proof of concept.

FailXSS

The first way of getting that proof of concept is from an article posted in the PortSwigger blog. https://portswigger.net/blog/xss-in-hidden-input-fields.

The browser ignores the JavaScript events such as onclick and onmouseover. So the context of execution is limited to using access keys using the following payload.

accesskey="X" onclick="alert('xss')"

sourceXSS

And after the page loads successfully we will need to use the following key combinations to get the Alert box.

(Press ALT+SHIFT+X on Windows) or (CTRL+ALT+X on OS X)

XSSPOC

This makes it tricky for a clean proof of concept without requiring user interaction.

Naturally the next step was to reduce this to a single click. Digging deeper, i came across an old chrome bug that explained how “type” can be overridden. You can read this in detail here, https://bugs.chromium.org/p/chromium/issues/detail?id=585077.  This works well even with the most recent version of chromium browser. There is another technique in there which works with IE 11 as well.

XSS-Chrome

Although there is no alert box here, you have easily managed to let the victim’s browser to include an attacker hosted JavaScript. This could be something like a beef hook, which can easily do a lot more than an alert box or stealing cookies. 🙂

 

 

Published by Ramnath Shenoy

I work a penetration tester, this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: