Hi,

Need assistance in validating a vulnerability. When executing a specific URL:
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/

The page is returned and I can find "http://hXvpfwkV.example.com/" in the source of the page...here is the source:

<INPUT id="rt" name="rt" type="hidden" value="null=http://hXvpfwkV.example.com/">

I am trying to understand how this could be a vulnerability and how would one exploit it? What are the limitations?

Any assistance would be appreciated.

Regards
A

have you tried any of these?
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/?test=">test
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/">test
https://x.x.x.x/b/l.e?null=http://hXvpfwkV.example.com/#">test

http://www.xssed.com/archive/author=PaPPy/

Tried that, does not return anything but the injected code in the source of the page.

Thanks for the assistance.

Will some type of RFI attack possibly work?

What do you mean it returns the injected code?

Does it return the injected code without sanitization?

Can you provide an example of the output when using one of PaPPy's strings?

Also, keep in mind that the input type is hidden, so you will need to use other methods of XSS if you aren't able to break out of the tag.