4

I am trying to insert a XSS payload into a hidden HTML input field. I know it works with a script tag like below, but I am looking for other alternatives.

<input type="hidden" name="date" value=""/> <script>alert('0');</script>" />

I found this article, that says it can be done with the accesskey attribute:

Eventually I learned about XSS through access keys from above article and wondered if the onclick event would be called on the hidden input when it activated via an access key. From articles I learnt, we can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X..

As of now I know it works with some type attribute value, e.g:

<input type="text" accesskey="X" onclick="alert(1)">

I was trying with a hidden field:

<input type="hidden" accesskey="X" onclick="alert(1)">

But this is not working for me in several browsers, assuming it might have been handled for recent browsers, so then also tried with some lower versions like firefox 4, but din work out. Can anyone help with this?

viharika
  • 143
  • 1
  • 1
  • 5
  • 1
    Any specific reason to use Firefox 4? – Krishna Pandey Dec 12 '17 at 09:11
  • @KrishnaPandey actually I read that this might have been handled in current latest browsers version – viharika Dec 12 '17 at 10:15
  • @Arminius thanks but the que you are pointing to is opposite of what I am looking for. The link you provided is for an option other than HTML accesskey. But I am checking how can I perform SX using accesskey or something similar. – viharika Dec 12 '17 at 11:15

1 Answers1

4

After your injection, the resulting code should look like this:

<input type="hidden" accesskey="X" onclick="alert(1)">

For the payload to be executed, the user needs to press the access key combination for the hidden input field (for Firefox, Alt+Shift+X, see this for other browsers). If you want to make sure you are fireing the access key, you can switch from hidden to text to check that the field recieves focus.

I checked on Windows, and this does not seem to work in Chrome 62 and IE 11. However, it does work in Firefox 57. So while Firefox fires the onclick event when accesskeys are pressed, other browsers do not.

Here is a working example if you want to try yourself.

So why doesn't it work in Firefox 4? Since the behaviour here isn't consistent across browsers, it wouldn't surprise me if it's not consistent across different versions of the same browser either. Try my sample on Firefox 4, make sure that the access key is actually fired, and if it doesn't work thats pretty much it. You'll have to try to come up with something else. And why would you like to target such an ancient browser anyway?

Note that this is quite a limited exploit since it only works on Firefox and requires user interaction. I don't know if there is a better way to do it, but it looks like this is the best the good folks at Portswigger could come up with.

Anders
  • 64,406
  • 24
  • 178
  • 215