An attacker can carry out Cross Site Scripting (XSS) attack by sending a malicious script to an unsuspecting user. The malicious script can access and steal cookies, session tokens, or other sensitive information retained by the browser. These scripts can even rewrite the content of the HTML page.
We often try to inject scripts in to the input fields and then exploit the XSS vulnerabilities. Sometime however the application blocks the ‘<‘ and ‘>’ tags and makes it difficult for attacker to execute scripts. You can try to check if the application is accepting “(double quotes), this will help you to inject the input tags events e.g. onmouseover, onclick, onload, etc.
Scenario 1 : When tags are block
In below application,we will use onmouseover event to trigger XSS:
Here the end user will insert script along with the “inputvalue” as below:
This will execute our scripts since the application allows double quotes.
Similarly you can try using all the events for input tags.
Scenario 2 : When the script is inserted successfully in hidden parameters but does not executes since we cannot see the hidden input box.
For this we can use access keys feature of keyboard.
Here is how it works, the new input script will be “accesskey=”X” onclick=”alert(9892)”. So when the end user will press ALT+SHIFT+X on keyboard the javascript will be triggered.
Hence, we can execute an XSS payload inside a hidden attribute, provided we can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X.
Mighty Tricks Infosec 