How to launch XSS code from an INPUT HTML tag upon page load?

  • Say I have the a website with the following code on it:

    <input type="text" id="search-text" name="query" value="?" />

    Double quotes aren't escaped so I can break out of the value attribute, however, I can't break out of the HTML tag itself as '<' and > are being filtered out.

    My goal here is to get a javascript popup to appear.

    • There's the onfocus attribute so I guess if someone clicked on the text input box a javascript popup could appear.
    • However is there a way to make a javascript popup appear when the page first loads?

    I can't break out of the `

    What reason would there be for *not* encoding double quotes?

    @Anonymous - ignorance? I didn't write the website that I'm trying to exploit!

    @neubert Oh, I read the phrase *"Say I have the a website"* and assumed you owned it. If not, this fits the close reason *"Questions asking us to break the security of a specific system for you are off-topic unless they demonstrate an understanding of the concepts involved and clearly identify a specific problem."* in my opinion.

    @Anyonous - well them let me create a PoC website that demo's the vulnerability. *Done*. Now... how do I exploit it? And I do believe I have demonstrated an understanding of the concepts. As I said in my OP I can break out of the attribute but not the tag. Or do you believe that familiarity with the `autofocus` attribute essential to understanding XSS?

  • paj28

    paj28 Correct answer

    6 years ago

    Try this:

    " onfocus="alert(1)" autofocus="

    It will expand to:

    <input type="text" id="search-text" name="query" value="" onfocus="alert(1)" autofocus="" />

    Which will cause an alert box, demonstrating XSS.

    Is there also any event which works with input type=hidden?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM