1

im working on trying to find vulnerabilities on a fake website for class and I was wondering how to launch XSS code into this input field?

  • This is the code from the website:
<form name="friendForm" method="POST" action="/Tunestore/addfriend.do">
  Friend name: <input type="text" name="friend" value="&quot
    <script>alert(1)</script>"><br>
  <input type="submit" value="Submit">
</form>

  • I have tried this but it didn't work:

    "> <script>alert(1)</script>

    " onfocus="alert(1)"

    " onclick="alert(1)

Improve this question
5
  • That's because your browser escapes the value you type in there. Typically XSS is achieved when the text you write into an input box is later treated as HTML an published somewhere, maybe check out Computerphile's video on XSS. Commented Sep 11, 2018 at 16:37
  • So XSS would not be possible on this type of input? Commented Sep 11, 2018 at 16:41
  • Not like this, no Commented Sep 11, 2018 at 16:42
  • What is the way to achieve XSS with an input field like that? Commented Sep 11, 2018 at 16:43
  • As I wrote above, the text in that input field has to be treaded like HTML in a process that publishes it, let's say, you're making a blog and the comment section has a textbox. When a user hits submit you just add that comment as a <p> to the site, if the user then enters some html, including script tags, that JS will be executed by all clients visiting the page, not just by your own browser, which isn't really a good attack vector Commented Sep 11, 2018 at 16:46

1 Answer 1

Reset to default
2

Try this:

" onfocus="alert(1)" autofocus="

It will expand to:

<'input type="text" name="friend" value=" " onfocus="alert(1)" autofocus=" " />

Which will cause an alert box, demonstrating XSS.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

did you try methods on owasp.org/index.php/… ?
A browser will most certainly not treat the input as HTML, it will escape the characters
Please properly format your answer, e.g. by using code blocks: stackoverflow.com/help/formatting

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.