In our article "Exploiting XSS - Injecting in to Direct HTML" we started to explore the concept of exploiting XSS in various contexts by identifying the syntactic context of the response. In this article we demonstrate some methods of modifying your input when injecting in to various Tag Attributes.
The example uses a version of "Mutillidae" taken from OWASP's Broken Web Application Project. Find out how to download, install and use this project. The page used is the XSS Document view page; you can access this page from the vulnerabilities console.
Suppose that after inputting a benign string (asdfghjkl) to each entry point in an application, the returned page contains the following:
<tag attribute="asdfghjkl" name="example" value="1">
Check that the payload appears unmodified in the response, before testing the exploit in your browser.
You can use Burp's "Request in browser" function to perform this check.
If your exploit has executed correctly your browser should render a pop-up alert.
Numerous event handlers can be used with various tags to cause a script to execute. Another example that requires no user interaction is:
However, with some user interaction it is possible to execute an XSS payload. You can read more about this technique on our blog post - XSS in Hidden Input Fields.