PortSwigger researchers discovered a practical XSS exploitation technique for hidden input fields using the accesskey attribute combined with onclick events, which works across modern browsers including Firefox and Chrome by triggering payload execution via keyboard shortcuts (ALT+SHIFT+X on Windows, CTRL+ALT+X on macOS).
A reflected XSS vulnerability was found on sharjah.dubizzle.com (OLX property) where unsanitized user input was reflected in an HTML link tag. The vulnerability exploited the HTML accesskey attribute combined with onclick handler to execute arbitrary JavaScript when users pressed ALT+SHIFT+X.
A reflected XSS vulnerability was discovered in Oracle NetSuite's search functionality exploiting the HTML accesskey attribute, allowing arbitrary JavaScript execution when a victim pressed Alt+Shift+X on a crafted malicious link.
A detailed writeup presenting five real-world XSS vulnerabilities across different web applications, showcasing evasion techniques including mobile DOM-events not covered by blacklists, hidden input attribute injection, WAF bypass through incomplete tag closure with script src attributes, and the importance of testing overlooked functionality.