XSS in hidden input field

Hello again! I’m faizan and today I’m writing about an XSS I found in an input field which was hidden from the page using Content division element. If you know what an XSS is, you may skip to the methodology.

What is an XSS?
An XSS (Cross Site Scripting) is a type of Vulnerability where an attacker can inject their own javascript code, making the application think its their own written code and ultimately using it for malicious purposes such as: Stealing their session cookies, credentials, Credit card information, and much more.

What does it mean by Stored XSS?
When the attacker is capable of permanently storing his/her malicious payload/javascript code inside the application server.


Before we dive in. let’s discuss how an input field is hidden from the web page.
There are various ways to hide an input field, from which the two are:

  1. Using type=”hidden” attribute inside an <input> tag.
  2. Putting the <input> tag inside another element and setting its style to display:none

The type=”hidden” can be bypassed if the value is being reflected before the attribute is called inside an <input> tag. i.e.
<input name=”xyz” value=”somevalue” type=”hidden”>

Which can be bypassed by inserting another type attribute as type=”text” i.e.
<input name=”xyz” value=”somevalue” type=”text” type=”hidden”>

This will override the hidden field and you are good to go :)

In my case the <input> tag was inside the <div> element like:

<div style=”display:none”>
<input type=”text” value=”somevalue”>

As the input field was hidden I could not use onmouseover or similar attributes as the input field was not visible.

So I tried the universal attribute which is autofocus which focuses on the input field automatically, then by using onfocus=”alert(document.cookie)”
would do the job. After inserting the payload, It looked something like:

<div style=”display:none”>
<input type=”text” value=”somevalue” autofocus onfocus=”alert(document.cookie)”>

It was so Happy. I sent the request and opened the browser but there was no luck!

As the <input> tag was hidden it could not be autofocused!

How did I perform the XSS?

After playing around multiple attributes, I came across an attribute called pattern. This attribute is used to compare value and pattern it is same as an if condition, if pattern matches and is valid do something else if invalid do something else. After providing the payload the response looked like this:

<div style=”display:none”>
<input type=”text” value=”somevalue” pattern=”somethingelse” oninvalid=”alert(document.cookie)”>

I sent the request again and opened the browser, the pop up appeared on the screen!

developers wondering how I got inside 😂

If you know have any other ideas or question leave a comment below!




Security Researcher| Bug-crowd | Synack SRT member

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Encode a Function and Call UniSwapRouter Contract

Basics of React.js I

Jest and GitHub Actions

Lead Backend Engineer NodeJS —CLOVIS — @STATION F (Paris) or Full Remote

How to make a random cat image generator with React and Cat API

Exposing React Components to Interface with Any UI

Ultra small code using Functional Programming (JavaScript)

MongoDB Oak Deno Angular means MODA Stack

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faizan Elahi

Faizan Elahi

Security Researcher| Bug-crowd | Synack SRT member

More from Medium

My First Reflected XSS Bug Bounty — Google Dork — $xxx

Directory Traversal — what is it?

SSRF & LFI In Uploads Feature

Comprehensive Url Enumeration for Bug Bounty — The potential of GAU.

banner for article with the words “The most underrated tool in bug bounty. (and the filthiest one liner possible)”