1

I have a form in html:

<form name="foo" action="http://localhost:3000/my_url" method="POST">
   <input type="text" name="username" value="alert('hello')" >
</form>

I need to get that JavaScript in the value field for the input to execute, but only through the form's submit. The reason is that page is a template so I don't control it (can't have 

<script>
   var input = document.getElementsByName("username");
</script>

or any other <script>tag added to the page. I'm trying to prove that's possible an attack to take place over malformed <input> fields, specially using templates. How can I have that Javascript to execute on the form submission? Remember I'm not allowed to modify the page content except for that piece. Since I'm doing a POST that form, I can set the <input> field (and only the <input> field) to whatever I want. I could do 

username=<script>alert('hello')<script>
<input type="text" name="username" value="<script>alert('hello')<script>" >

or

username=window.onload = function() { alert('hello') }
<input type="text" name="username" value="window.onload = function() { alert('hello') }" >

I have thought about doing a 

username=document.forms['myform'].onsubmit() = function() { alert('hello') }
<input type="text" name="username" value="document.forms['myform'].onsubmit() = function() { alert('hello') }" >

All of those are valid. However I need to get the Javascript in the tag to execute. How can I do that? The security flaw is how the` tag can be exploited if not properly sanitized. As per @guest271314 "requirement include adding tag ..."

Improve this question
11
  • eval() will achieve what you need. Are you using this as an example of why you shouldn't allow unsanitised JS code to be placed in HTML inputs? I hope so, because otherwise this is terrible - and is a massive security flaw. Commented May 11, 2015 at 14:43
  • "I'm not allowed to modify the page content except for that piece." Do you mean you can change some code in the area of the submit event, or that you can only modify the actual value in the <input>? Commented May 11, 2015 at 14:43
  • @RoryMcCrossan that's exactly what I want ... could you formulate it in an answer? Commented May 11, 2015 at 14:46
  • @JamesThorpe In the actual problem I have a Javascript code that will modify the <form> in order to capture the value in the username input... I can edit the question with that piece of Javascript if you want Commented May 11, 2015 at 14:47
  • @JamesThorpe I only can modify the actual value in the <input> Commented May 11, 2015 at 15:02

2 Answers 2

Reset to default
1

When you use a template engine to render html content the server normally sanitize and escape it to prevent passive injection of cross site scripts or XSS for short.

Such attack can be easily achieved on a server that does not enforce the previously mentioned security measures by posting malformed content that will happily be rendered later by the template engine.

For example a form that sends user input

<form name="foo" action="http://localhost:3000/my_url" method="POST">
   <input type="text" name="username" value="" >
</form>

If the user sends something like "><script>alert('foo')</script> and later you display this input in another form

<form name="bar" action="http://localhost:3000/my_other_url" method="POST">
    <input type="text" name="username" value="@template_engine_render(posted_username_value)@" >
</form>

The resulting output will be

<form name="bar" action="http://localhost:3000/my_other_url" method="POST">
    <input type="text" name="username" value="">
    <script>alert('foo')</script>
</form>

Because the "> caracters close the input tag and you will end up executing arbitrary user javascript code in your page.

This is why "Never trust user input" is one of the most basic security rules of the web.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Done, Thanks for the help! That's what I was looking for. I'm sorry if I wasn't clear enough, I didn't know at fully what was going on, and Iearnt in the process. Thank you!
1

Try utilizing Function

Note, submission of form at stacksnippets appear blocked; substituted click event for submit event; i.e.g., click on input at stacksnippets for value of input to be called as parameter to Function.

document.forms["foo"].onclick = function(e) {
  Function(this.children[0].value)()
}
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<form name="foo" action="" method="POST">
   <input type="text" name="username" value="alert('hello')" >
</form>

Improve this answer

17 Comments

Would you add the document.forms["foo"].onclick = function(e) { Function(this.children[0].value)() } to the value field?
Have come to realize that no external script can be used... only whatever gets entered into input as value. Question was a bit misleading
well now you are using script tags phillipe... there's no rocket science there...that is certainly a known security risk and why people sanitize tags. If that is what this whole question is about it's a big waste of time
I'm really about over this question. Original specification should have been a lot more clear since it said no tags. You can find all of this by searching the web
@guest271314 right an probably lots of white papers on what ugly script in a tag can do...all easily found in a google search
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.