Ebay add me in its hall of fame after I reporting a clickjacking related issue for them
In one of our customer’s website, the injection point is in <link rel=’canonical’ href=”> tag and it looks like something like
<link rel=’cannoical’ href=’http://example.com/test.php?pid=<?php echo $_SERVER[‘QUERY_STRING’];>’>
The server will encode <, > and “, if you try http://example.com/test.php?pid=”<qss>, the response will be
<link rel="canonical" href='http://example.com/test.php?pid="<qss>' />
Under this case, using the following payload, you could exploit this XSS under IE7 and IE 8.
Burp team found a new way to exploit XSS in hidden input fields. The key point is to use accesskey attribute to trigger the onclick event!
<input type=”hidden” accesskey=”X” onclick=”alert(1)”>
Details could be found at http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.htm