Reputation: 10961
Executing javascript present in the value field of inputs - JavaScript
I have a form in html:
<form name="foo" action="http://localhost:3000/my_url" method="POST">
<input type="text" name="username" value="alert('hello')" >
</form>
I need to get that JavaScript in the value field for the input to execute, but only through the form's submit. The reason is that page is a template so I don't control it (can't have
<script>
var input = document.getElementsByName("username");
</script>
or any other <script>tag added to the page. I'm trying to prove that's possible an attack to take place over malformed <input> fields, specially using templates.
How can I have that Javascript to execute on the form submission? Remember I'm not allowed to modify the page content except for that piece.
Since I'm doing a POST that form, I can set the <input> field (and only the <input> field) to whatever I want.
I could do
username=<script>alert('hello')<script>
<input type="text" name="username" value="<script>alert('hello')<script>" >
or
username=window.onload = function() { alert('hello') }
<input type="text" name="username" value="window.onload = function() { alert('hello') }" >
I have thought about doing a
username=document.forms['myform'].onsubmit() = function() { alert('hello') }
<input type="text" name="username" value="document.forms['myform'].onsubmit() = function() { alert('hello') }" >
All of those are valid. However I need to get the Javascript in the tag to execute. How can I do that? The security flaw is how the` tag can be exploited if not properly sanitized. As per @guest271314 "requirement include adding tag ..."
Upvotes: 1
Views: 1549
Answers (2)
Reputation: 3685
When you use a template engine to render html content the server normally sanitize and escape it to prevent passive injection of cross site scripts or XSS for short.
Such attack can be easily achieved on a server that does not enforce the previously mentioned security measures by posting malformed content that will happily be rendered later by the template engine.
For example a form that sends user input
<form name="foo" action="http://localhost:3000/my_url" method="POST">
<input type="text" name="username" value="" >
</form>
If the user sends something like "><script>alert('foo')</script> and later you display this input in another form
<form name="bar" action="http://localhost:3000/my_other_url" method="POST">
<input type="text" name="username" value="@template_engine_render(posted_username_value)@" >
</form>
The resulting output will be
<form name="bar" action="http://localhost:3000/my_other_url" method="POST">
<input type="text" name="username" value="">
<script>alert('foo')</script>
</form>
Because the "> caracters close the input tag and you will end up executing arbitrary user javascript code in your page.
This is why "Never trust user input" is one of the most basic security rules of the web.
Upvotes: 1
Reputation: 1
Try utilizing Function
Note, submission of form at stacksnippets appear blocked; substituted click event for submit event; i.e.g., click on input at stacksnippets for value of input to be called as parameter to Function.
document.forms["foo"].onclick = function(e) {
Function(this.children[0].value)()
}<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<form name="foo" action="" method="POST">
<input type="text" name="username" value="alert('hello')" >
</form>Upvotes: 1
Related Questions
- How do I run javascript code from a HTML input box?
- How to execute JavaScript code from input
- How to execute script from an Input field on JS?
- How to pass the JavaScript value into input field
- How to run some specific code before evaluating .val() for every input jquery
- How to execute javascript supplied by a text field
- jQuery running code on input text box change
- How can i use this Javascript with jQuery in a INPUT TEXT?
- Run JavaScript function on every input field
- javascript value to input box