login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, November 16, 2015

XSS in Hidden Input Fields

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element:
<input type="hidden" name="redacted" value="default" injection="xss" />
XSS in hidden inputs is frequently very difficult to exploit because typical JavaScript events like onmouseover and onfocus can't be triggered due to the element being invisible.

I decided to investigate further to see if it was possible to exploit this on a modern browser. I tried a bunch of stuff like autofocus, CSS tricks and other stuff. Eventually I thought about access keys and wondered if the onclick event would be called on the hidden input when it activated via an access key. It most certainly does on Firefox! This means we can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
<input type="hidden" accesskey="X" onclick="alert(1)">
This vector isn't ideal because it involves some user interaction, but it's vastly better than expression() which only works on IE<=9.

Note: We've reported this vulnerability to the application's security team. However, they haven't responded in any way after 12 days and a couple of emails. We wanted to make people aware of this particular technique, but we won't be naming the vulnerable application concerned until a patch is available.

This isn't the first time that Burp Scanner has unearthed a vulnerability in an extremely popular web application, and we doubt it will be the last.

Mind those access keys... - @garethheyes

7 comments:

Anonymous said...

I've never heard of this [REDACTED] application. #troll

vizzdoom said...

Hmm, I can't reproduce that kind of injection. What browser did you use for testing XSS in hidden field described above? Could you guys upload some plunkrs with sample payload?

Gareth Heyes said...

Hi @Vizzdoom

Only works on Firefox. ALT+SHIFT+X on Windows/Linux, CTRL+ALT+X osx.

http://run.plnkr.co/wTRERUOOH9wDBequ/

vizzdoom said...

Thanks @Gareth!

Kamil Vavra said...

Thank you, very useful! :)

Anonymous said...

is there any special way to prevent these kind of attacks?

James Kettle said...

@Anon these can be prevented using normal XSS prevention techniques such as HTML-encoding user input before embedding it in an attribute, or defining a whitelist of valid characters.


Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.