When dealing with HTML injections there’s an interesting trick to make a XSS attack work. To illustrate this technique we will make use of the following, tweeted as a mini-challenge:
The code is short and very simple but built with key elements of a real world scenario:
Contrary to the obvious input, in this code we have a PHP_SELF flaw which makes us able to inject into the URL without providing any parameter:
As our injection lands on a tag attribute, we try to break out of it with no success because the greater than sign (>), needed to close the tag and start a new one, is replaced by a minus sign (-):
So we will try to use an inline injection, using an event handler:
But if we create an arbitrary attribute and simply keep its value open, all the code after injection will be changed into its value:
That way, the “1” attribute will be closed only when the browser’s HTML parser finds the next single quote (‘), which is on the “Don’t be evil.” phrase. The form tag, the one we injected into, will be closed in the next greater than sign (>), which is in the </h6> tag.
So here comes the last trick. In current Firefox browser, we have the following handlers that only need a script block after it in source to make them trigger:
But to reach the very end of the challenge (in the congrats.js script of the page),
alert(“Almost there, try again.”);
we can only use the latter:
P.S.: in my private twitter account @brutalsecrets there’s another useful example of this technique.