Monday, November 16, 2015

XSS in Hidden Input Fields

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element:
<input type="hidden" name="redacted" value="default" injection="xss" />
XSS in hidden inputs is frequently very difficult to exploit because typical JavaScript events like onmouseover and onfocus can't be triggered due to the element being invisible.

I decided to investigate further to see if it was possible to exploit this on a modern browser. I tried a bunch of stuff like autofocus, CSS tricks and other stuff. Eventually I thought about access keys and wondered if the onclick event would be called on the hidden input when it activated via an access key. It most certainly does on Firefox! This means we can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
<input type="hidden" accesskey="X" onclick="alert(1)">
This vector isn't ideal because it involves some user interaction, but it's vastly better than expression() which only works on IE<=9.

Note: We've reported this vulnerability to the application's security team. However, they haven't responded in any way after 12 days and a couple of emails. We wanted to make people aware of this particular technique, but we won't be naming the vulnerable application concerned until a patch is available.

This isn't the first time that Burp Scanner has unearthed a vulnerability in an extremely popular web application, and we doubt it will be the last.

Mind those access keys... - @garethheyes

9 comments:

Anonymous said...

I've never heard of this [REDACTED] application. #troll

vizzdoom said...

Hmm, I can't reproduce that kind of injection. What browser did you use for testing XSS in hidden field described above? Could you guys upload some plunkrs with sample payload?

Gareth Heyes said...

Hi @Vizzdoom

Only works on Firefox. ALT+SHIFT+X on Windows/Linux, CTRL+ALT+X osx.

http://run.plnkr.co/wTRERUOOH9wDBequ/

vizzdoom said...

Thanks @Gareth!

Kamil Vavra said...

Thank you, very useful! :)

Anonymous said...

is there any special way to prevent these kind of attacks?

James Kettle said...

@Anon these can be prevented using normal XSS prevention techniques such as HTML-encoding user input before embedding it in an attribute, or defining a whitelist of valid characters.

Soi Andro said...

hello,
I'm soy , I have found an url param that can pass html attribute to the passing value,
but some of html attribute was filtered, so i try to inject style attribute to the value, and the result is the style attribute can rendred to browser,
ex PoC
"https://target.com/edit_profile.pl?dest=https://target.com/edit_profile.pl/"style=color:red&id=123"

html output:
"< a href="https://target.com/edit_profile.pl" style="color:red;">button"

my question is:
is there is a way to trigger javascript alert using style attribute??

thanks

James Kettle said...

@Soi,

Attribute/tag filters are often flawed and can be bypassed using obscure tags like those listed on https://html5sec.org so I'd recommend trying those if you haven't already.

CSS can't be used to execute JavaScript in any modern web browsers, but you can steal page contents (which may include CSRF tokens) using pure CSS - see some of the techniques listed near the end of http://blog.portswigger.net/2015/02/prssi.html