13/06/2017: This attack was coined as Bypassing XSS Mitigations Via Script Gadgets
<form> are removed by XSS filters, but not the data-* attributes nor input junk. The XSS filters only returns some HTML tag (
<i> tags ) and its data-* attributes of XSS payload.
Unobtrusive scripting support for jQuery
Abuse predefined data-* attributes of Jquery
Just like CSRF attack, The attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. But The HTTP request is coming from the same origin.
“data-url” and “data-remote”: Send AJAX request to the given url after change event on element
<input type="checkbox" name="task" id="task" value="1" data-url="/tasks/1" data-remote="true" data-method="post">
“data-params”: Add additional parameters to the request
<a data-remote="true" data-method="post" data-params="param1=Hello+server" href="/test">AJAX action with POST request</a>
<a> tag since XSS filters refuses
<form> HTML tag, My final payload would be this
<a data-remote="true" data-method="post" href="https://victim.com/change_email/" data-params="post_data_param_its_value">CSRF OF THE WIND</a>
When a victim clicks our injected
<a> tag, the browser sends a POST HTTP request including the CSRF token that changes the email address of victim’s account.