Exploiting XSS in hidden input fields

If you are looking at an XSS within a hidden input this post may help you with a proof of concept.


The first way of getting that proof of concept is from an article posted in the PortSwigger blog. https://portswigger.net/blog/xss-in-hidden-input-fields.

The browser ignores the JavaScript events such as onclick and onmouseover. So the context of execution is limited to using access keys using the following payload.

accesskey="X" onclick="alert('xss')"


And after the page loads successfully we will need to use the following key combinations to get the Alert box.

(Press ALT+SHIFT+X on Windows) or (CTRL+ALT+X on OS X)


This makes it tricky for a clean proof of concept without requiring user interaction.

Naturally the next step was to reduce this to a single click. Digging deeper, i came across an old chrome bug that explained how “type” can be overridden. You can read this in detail here, https://bugs.chromium.org/p/chromium/issues/detail?id=585077.  This works well even with the most recent version of chromium browser. There is another technique in there which works with IE 11 as well.


Although there is no alert box here, you have easily managed to let the victim’s browser to include an attacker hosted JavaScript. This could be something like a beef hook, which can easily do a lot more than an alert box or stealing cookies. 🙂



Published by Ramnath Shenoy

I work a penetration tester and this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: