Reputation: 93
Input type hidden Cross site script attack
Web site have <> replace <> logic
So I can use ', " ... etc
I can inject
<input type="hidden" value="$input">
So how can I attack xss without accesskey, style tag?
Upvotes: 0
Views: 737
Answers (1)
Reputation: 574
You will need to provide more information about where exactly you inject the code, and more about the server or website information.
Since you haven't provided such information, you can try some of these:
Try adding attributes,
Try using Event Handlers (onLoad() , onMouseOver() , etc)
US-ASCII encoding? (Apache Tomcat) - you can try: ¼script¾alert(¢XSS¢)¼/script¾ .
Since only < , > gets replaced by the website, take a look over these:
All the possible combinations of the character "<" in HTML and JavaScript.
Most of these won't render out of the box, but many of them can get rendered in certain circumstances.
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
Upvotes: 1
Related Questions
- Cross Site Scripting injection
- Prevent input type from XSS attacks
- Cross site Scripting(XSS) Vulnerability possible
- Cross Site Scripting with Hidden Inputs
- XSS Cross Site Scripting - on JSP input tag
- Cross site scripting forms
- Web Application Cross Site Scripting
- Cross Site Scripting Attack, troubles
- Cross Site Scripting - Hidden Form Fields
- How to avoid "Cross-Site Script Attacks"