While testing an app, a text field on one of the pages, was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):
and verified the HTML source for
<XSS . As
<XSS was in the HTML source, the input field was missing output encoding and was vulnerable to cross site scripting.
I was now aiming to get a popup. Only thing was I was used to alert(1) and here I needed a smaller script. I tried to create/find some script which is less than or equal to 20 characters but I was unable to find anything. At that point of time, a random thought came to my mind that, what could be the smallest payload to pop up an alert. I asked this question in IT Security stack-exchange forum. I was also able to make a few payloads myself. Here are those payloads as well as the payload from one of the answer.
Update (7th March, 2019)- This is a very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.