How to launch XSS code from an INPUT HTML tag upon page load?

Question

Say I have the a website with the following code on it:

<input type="text" id="search-text" name="query" value="?" />

Double quotes aren't escaped so I can break out of the value attribute, however, I can't break out of the HTML tag itself as '<' and > are being filtered out.

My goal here is to get a javascript popup to appear.

There's the onfocus attribute so I guess if someone clicked on the text input box a javascript popup could appear.
However is there a way to make a javascript popup appear when the page first loads?

did you try all the techniques on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_closing_script_tags ? — KDEx, Aug 22 '15 at 18:40
What reason would there be for *not* encoding double quotes? — Anonymous, Aug 22 '15 at 20:22
@Anonymous - ignorance? I didn't write the website that I'm trying to exploit! — neubert, Aug 22 '15 at 20:25
@neubert Oh, I read the phrase *"Say I have the a website"* and assumed you owned it. If not, this fits the close reason *"Questions asking us to break the security of a specific system for you are off-topic unless they demonstrate an understanding of the concepts involved and clearly identify a specific problem."* in my opinion. — Anonymous, Aug 22 '15 at 20:27
@Anyonous - well them let me create a PoC website that demo's the vulnerability. *Done*. Now... how do I exploit it? And I do believe I have demonstrated an understanding of the concepts. As I said in my OP I can break out of the attribute but not the tag. Or do you believe that familiarity with the `autofocus` attribute essential to understanding XSS? — neubert, Aug 22 '15 at 20:29

paj28 · Accepted Answer · 2015-08-22T20:44:07.393

54

Try this:

" onfocus="alert(1)" autofocus="

It will expand to:

<input type="text" id="search-text" name="query" value="" onfocus="alert(1)" autofocus="" />

Which will cause an alert box, demonstrating XSS.

edited Aug 22 '15 at 20:44

answered Aug 22 '15 at 20:00

paj28

32,736
8
92
130

Is there also any event which works with input type=hidden? – Sanchit Sharma Aug 22 '17 at 09:25
@SanchitSharma See this question: https://security.stackexchange.com/q/182762/91506 – mbomb007 Apr 02 '18 at 16:30

score -3 · Answer 2 · answered Aug 24 '15 at 10:48

-3

You can checkout for this too

ONLOAD=alert('XSS')

Which will produce an alert box when the page loads.

answered Aug 24 '15 at 10:48

Bhuvanesh

87
1
5

3

Didn't work for me. Nor would I expect it to. onload isn't valid for `input type="text"` per http://www.w3schools.com/jsref/event_onload.asp – neubert Aug 24 '15 at 12:18

How to launch XSS code from an INPUT HTML tag upon page load?

2 Answers2

Linked