Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack?
Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for "
<em>" turns the whole page italic.
But wait, young grasshopper, for there is a fly in the ointment. What if the developer of the site saw fit to restrict the number of characters echoed back to a mere 20? (Note, this limitation isn't set by a
maxlength attribute, but rather a server-side limitation.)
Is that enough for mischief?
That's not even enough to make an annoying pop-up!
How about an iFrame? Load up something dastardly!
Hmmm... We can use protocol-relative addresses to save us from having to use "http:"
Normally, that wouldn't be enough to do anything with.
Suppose we control a really short domain name like
Aha! Success. Just about. There are an extremely limited number of 4 character domains available - so this is an incredibly unlikely attack vector.
Perhaps we can load a script from an external resource?
Ooof! Again, just about possible if we control a minuscule domain.
If we can send a malicious payload to the user, perhaps via an image, could that work?
The maximum we can use is something like
So, if we contained a short domain, and were able to host (or redirect to) a malicious file, there's a slim chance of success.
I hope that I have demonstrated two things.
- If you have the resources to own a short domain, it is just about possible to craft an XSS in 20 characters.
- Reducing the number of characters your site echos back is not a sensible way to filter out attacks!
Here endeth the lesson.
I contacted the Ashmolean in January regarding this flaw. It was fixed in early March.