XSS with length restriction
December 2, 2018
Let’s assume our payload is being placed inside
href attribute of an anchor tag and we are limited to 32 characters
name property can be assigned anything and is also inherited cross-origin. This gives us an advantage and let us execute our payload without any limitation unless the page rewrites its
name property itself.
script tag. This, however, requires jQuery already loaded in the vulnerable page.
5. Use of existing elements and/or properties
If a page stores hash like
const hash = document.location.hash;
We could use it to load external script like
- Other libraries
- Uses of various selectors
- Use of DOM properties, mutation (image id, for example)
;q at the end of each payload like
There’s now a collection of impossible labs, created by PortSwigger which also involves XSS with length restrictions https://portswigger.net/research/documenting-the-impossible-unexploitable-xss-labs