I've started playing with XSS to better improve my security posture at work. I've been able to successfully exploit a reflected XSS attack using a redirected POST form, but I can't seem to remove the extraneous characters displayed on the page.
I've checked:
How to load javascript on another webpage through XSS?
But none of the suggestions seem to work for me.
My exploit is a basic form, exploiting a PHP server side script I've configured echoing $_POST['username'] into the value attribute:
<form id=1 method="post" action="http://vulnerable.site.com">
<input type="hidden" name="username"
value=""><script>alert('Hello');</script>"">
</form>
<script>
document.getElementById(1).submit();
</script>
Unencoded:
<form id=1 method="post" action="http://vulnerable.site.com">
<input type="hidden" name="username"
value=""><script>alert('Hello');</script>">
</form>
<script>
document.getElementById(1).submit();
</script>
But this pesky "> will not die:
I've tried:
- Several filter evasion techniques by adding additional characters recommended by OWASP
- Escaping the
">to">- this results in syntax errors, and removing the leading quotes breaks the payload. BUT, based on resources linked above, it seems possible based on comments - Using CSS selectors to hide the characters in my attack payload (using dev tools, the
">shows up as#textso I thought this might work)
I'm sure it's something silly, but what am I missing? It's clearly possible, but I'm not a skilled web developer (hence the fiddling around). Any feedback or advice would be appreciated!
I eventually figured it out after hours of trial and error. The idea is to close the dangling tag with a separate tag:
So the previous payload was:
Which, after the PHP script parses it, looks like this:
After adding a closing input tag, the solution worked:
And output from PHP parsing:
Note that the above needs to be HTML encoded to work properly. I omitted it for readability.