How to launch XSS code from an INPUT HTML tag upon page load?

Question

Say I have the a website with the following code on it:

<input type="text" id="search-text" name="query" value="?" />

Double quotes aren't escaped so I can break out of the value attribute, however, I can't break out of the HTML tag itself as '<' and > are being filtered out.

My goal here is to get a javascript popup to appear.

There's the onfocus attribute so I guess if someone clicked on the text input box a javascript popup could appear.
However is there a way to make a javascript popup appear when the page first loads?

did you try all the techniques on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_closing_script_tags ? — KDEx, Aug 22 '15 at 18:40
I can't break out of the <input tag to start a <script tag, let alone not close a <script tag I'm already in. I'm not aware of any others that'll help either but if you are aware of one do feel free to post it as the answer.. — neubert, Aug 22 '15 at 18:42
What reason would there be for not encoding double quotes? — Anonymous, Aug 22 '15 at 20:22
@Anonymous - ignorance? I didn't write the website that I'm trying to exploit! — neubert, Aug 22 '15 at 20:25
@neubert Oh, I read the phrase "Say I have the a website" and assumed you owned it. If not, this fits the close reason "Questions asking us to break the security of a specific system for you are off-topic unless they demonstrate an understanding of the concepts involved and clearly identify a specific problem." in my opinion. — Anonymous, Aug 22 '15 at 20:27
@Anyonous - well them let me create a PoC website that demo's the vulnerability. Done. Now... how do I exploit it? And I do believe I have demonstrated an understanding of the concepts. As I said in my OP I can break out of the attribute but not the tag. Or do you believe that familiarity with the autofocus attribute essential to understanding XSS? — neubert, Aug 22 '15 at 20:29

paj28 · Accepted Answer · 2015-08-22T20:44:07.393

60

Try this:

" onfocus="alert(1)" autofocus="

It will expand to:

<input type="text" id="search-text" name="query" value="" onfocus="alert(1)" autofocus="" />

Which will cause an alert box, demonstrating XSS.

edited Aug 22 '15 at 20:44

answered Aug 22 '15 at 20:00

paj28

33,442
8
96
133

1

Is there also any event which works with input type=hidden? – Sanchit Sharma Aug 22 '17 at 09:25
@SanchitSharma See this question: https://security.stackexchange.com/q/182762/91506 – mbomb007 Apr 02 '18 at 16:30

score 0 · Answer 2 · answered Jan 21 '23 at 10:15

0

Hyyyyyygg alert("xss")alert("xss")alert("xss")alert("xss")</svg onResize></svg onResize></svg onResize></svg onResize></svg onResize>

answered Jan 21 '23 at 10:15

user288320

1

score -3 · Answer 3 · answered Aug 24 '15 at 10:48

-3

You can checkout for this too

ONLOAD=alert('XSS')

Which will produce an alert box when the page loads.

answered Aug 24 '15 at 10:48

Bhuvanesh

87
1
5

3

Didn't work for me. Nor would I expect it to. onload isn't valid for input type="text" per http://www.w3schools.com/jsref/event_onload.asp – neubert Aug 24 '15 at 12:18

How to launch XSS code from an INPUT HTML tag upon page load?

3 Answers3

Linked