A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area. That field allowed XSS exploitation: [code lang=”html”]d<img src=x onerror=prompt(1)>[/code] Simple right? But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number.… Continue reading Tiny XSS exploitation