Minimum Viable XSS

Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack?

Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic.
ashmolean em-fs8

A hacker might think, "Hurrah! Now I can directly inject JavaScript into the page. MWAHAHAHA!"

But wait, young grasshopper, for there is a fly in the ointment. What if the developer of the site saw fit to restrict the number of characters echoed back to a mere 20? (Note, this limitation isn't set by a maxlength attribute, but rather a server-side limitation.)
Ashmolean 20 chars-fs8
Is that enough for mischief?

20 characters of JavaScript gets us

That's not even enough to make an annoying pop-up!

How about an iFrame? Load up something dastardly!
<iframe src="http://

Hmmm... We can use protocol-relative addresses to save us from having to use "http:"
<iframe src=//
asmolean iframe broken-fs8
Normally, that wouldn't be enough to do anything with.

Suppose we control a really short domain name like
ashmolean iframe work-fs8

Aha! Success. Just about. There are an extremely limited number of 4 character domains available - so this is an incredibly unlikely attack vector.

Perhaps we can load a script from an external resource?

<script src=//>

Ooof! Again, just about possible if we control a minuscule domain.

If we can send a malicious payload to the user, perhaps via an image, could that work?

The maximum we can use is something like
<img src=//a.bc/123>.

So, if we contained a short domain, and were able to host (or redirect to) a malicious file, there's a slim chance of success.

A few people have attempted to find what the Minimum Viable XSS is. The general consensus is that it would take more than 20 characters.

I hope that I have demonstrated two things.

  1. If you have the resources to own a short domain, it is just about possible to craft an XSS in 20 characters.
  2. Reducing the number of characters your site echos back is not a sensible way to filter out attacks!

Here endeth the lesson.

Responsible Disclosure

I contacted the Ashmolean in January regarding this flaw. It was fixed in early March.

Support this blog

Enjoyed this blog post? You can say thanks to the author in the following ways:

Donate to charity
Give to charity.
Buy me a birthday present
Amazon Wishlist
Get me a coffee
Donate on Ko-Fi.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.