I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…
[code lang=”js”]central.push({ ‘var1’: ‘INJECT_HERE’ });[/code]
So after some attempts I was unable to find one so I called for help 🙂
@soaj1664ashar 10 char fun: ‘-open()-‘
Making a valid Javascript:
[code lang=”js”]central.push({ ‘var1’: ”-open()-” });[/code]
This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.
Nice catch!