Input field XSS - but type=hidden

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Input field XSS - but type=hidden

Posted by: GaSmo

Date: November 02, 2009 04:20AM

Hi,

I found way to inject code, but got a problem to start it.

<input type="hidden" name="rows" value=""/>

I can inject into value:

<input type="hidden" name="zero_rows" value="" onmouseover="alert(23)" />

U can see, the onmouseover will never trigger cuz the type is hidden.
Do one of you guys know a way to start code? I tryed to set the type
a second time:
<input type="hidden" name="zero_rows" value="" type="text" onmouseover="alert(23)" />
but this don't work in firefox and ie - ie is also warning about XSS Code and
changes the onmouseover into #nmouseover

Options: Reply•Quote

Re: Input field XSS - but type=hidden

Posted by: PaPPy

Date: November 02, 2009 04:46AM

use the search feature

http://www.xssed.com/archive/author=PaPPy/

Options: Reply•Quote

Re: Input field XSS - but type=hidden

Posted by: GaSmo

Date: November 02, 2009 05:04AM

ha!

Ok, sry searched with wrong parameters. Styles are the magic way to get it work.
thanks :)

ps:
damned phpmyadmin token ;)

Options: Reply•Quote

Re: Input field XSS - but type=hidden

Posted by: Anonymous User

Date: November 02, 2009 07:24AM

@styles: Yep. FF allows to override type=hidden via style=display:block etc. Just make sure the element is positioned absolutely, 999em*999em in size and at position 0px*0px - so the user _has_ to hover.

http://maliciousmarkup.blogspot.com/2008/11/hidden-fields-vs-css.html