18

Suppose only user-supplied double quotes are allowed in an input tag which has the style attribute set to display: none.

Something like this:

<input type="text" style="display: none;" value="aa" autofocus/onfocus="prompt(1)">

Since the injection point is behind the style attribute, is it still possible to get XSS by triggering an event handler?

Arminius
  • 43,922
  • 13
  • 140
  • 136
Utkarsh Agrawal
  • 493
  • 1
  • 8
  • 15
  • 3
    Where exactly is the injection point, the `value` attribute? And what do you mean by "user-supplied"? – Bergi Apr 02 '18 at 18:45

2 Answers2

15

You can always use the same approach which may be used for hidden input, but this requires quite a bit of social engineering as it's difficult to trigger.

You can however use a different event attribute which may be easier to trigger. oninvalid comes to mind as it doesn't require the element to be shown:

<form>
<input type="text" style="display: none;" value="aa" oninvalid="alert(1)" pattern="b">
<input type="submit" value="Submit">
</form>
tim
  • 29,018
  • 7
  • 95
  • 119
  • 1
    I wasn't able to use the `accesskey` technique with a `display:none` field (in FF). Are you sure it works here? – Arminius Apr 02 '18 at 13:29
  • 1
    @Arminius Yes, I tested it with a current version of FF and it worked. Odd that it doesn't work for you; I have no idea why that might be. But I don't think it matters much, because the `oninvalid` method is actually superior. – tim Apr 02 '18 at 13:33
  • Do you mind comparing these fiddles and see if `accesskey` triggers for you in both? https://jsfiddle.net/81sccuqx/ https://jsfiddle.net/50z3q749/ That aside, the `oninvalid` trick is great. – Arminius Apr 02 '18 at 13:40
  • 3
    @Arminius No, just in the second. I think that I see the problem now though. I'm using `onclick`, not `onfocus`: ``. – tim Apr 02 '18 at 13:45
  • Ah, that makes a lot of sense. Thanks for checking. With `onclick` I can repro, too. – Arminius Apr 02 '18 at 13:46
  • If you're going to use `oninvalid`, you can set the pattern attribute to `$^`, so that it's always invalid. – mbomb007 Apr 02 '18 at 16:27
  • Hi, It didn't work in my case `http://localhost.com/Pages/Search.aspx?h=aaa"+oninvalid="alert(1)"+pattern="b` – Utkarsh Agrawal Apr 02 '18 at 19:17
  • 1
    `onclick` can fire for hidden elements if the corresponding ` – Brian Nickel Apr 03 '18 at 04:37
  • Hi @tim, I am confused in this, can you clarify it. Using the oninvalid event, we have to submit the form. Right?. If yes then what type of form I have to submit? Is the form of which the input tag resides, or I have to create another form on my localhost to submit it as we do in CSRF. Will wait for your reply. – Utkarsh Agrawal Apr 04 '18 at 03:58
  • @UtkarshAgrawal Yes, you have to submit the form which contains the input tag. – tim Apr 04 '18 at 07:15
3

Similar to what was mentioned with accesskey, you can get onclick to fire for hidden elements using label elements.

When you click on <label for="some-id">, the browser will look for the first input with that element and perform a click, even if hidden. A legitimate use-case for this feature is checkbox/radio inputs where the label is being used to indicate state, like the frequency selectors on this site's email settings page.

Imagine you had a form that looked like this:

<input type="text" style="display:none" value="" onclick="alert(1)">
<label for="field">Name</label>
<input type="text" id="field">

The value, " id="field would result in a page looking like this:

<input type="text" style="display:none" value="" id="field" onclick="alert(1)">
<label for="field">Name</label>
<input type="text" id="field">

You will get an alert if the user clicks "Name". How often users click on the label will depend on a lot of things but some site designs may require clicking a label to accomplish a given task.

This is also heavily dependent on page ordering. The placement of the hidden input relative to the legitimate input matters, as well as whether the hidden input has an id and where it is relative to the value.

Brian Nickel
  • 203
  • 2
  • 7