5 char XSS?

> Just been noticing all the talk about Obama and Clinton sites and how
>  the media keeps making a big deal out of all these XSS vulns, heh.
>  However, I have a rather technical question about what, if anything,
>  you can do when you have such a small buffer to exploit XSS?  Check
>  out this one I found and is not listed by xssed.com for
>  hillaryclinton.com.  You only get 5 chars to inject.  So, are there
>  any tricks that could possibly be used to expand the limitation via
>  perhaps some unicode kung-fu here?  Dunno, but thought it might be
>  insteresting bring up because this is a common scenario in zip code
>  search fields.  The fix for Clinton is as simple as whitelisting the
>  input field set to [0-9]...
>
>  http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
>
>  Regards,
>  --
>  Kristian Erik Hermansen
>  --
>  "Clever ones don't want the future told. They make it."
>

> Am I the only one who sees the irony of an XSS related email/question
> and example URLs to click? Heh.
>
>    Serg
>
>
> On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen
> <kristian.hermansen@...> wrote:
> > Just been noticing all the talk about Obama and Clinton sites and how
> >  the media keeps making a big deal out of all these XSS vulns, heh.
> >  However, I have a rather technical question about what, if anything,
> >  you can do when you have such a small buffer to exploit XSS?  Check
> >  out this one I found and is not listed by xssed.com for
> >  hillaryclinton.com.  You only get 5 chars to inject.  So, are there
> >  any tricks that could possibly be used to expand the limitation via
> >  perhaps some unicode kung-fu here?  Dunno, but thought it might be
> >  insteresting bring up because this is a common scenario in zip code
> >  search fields.  The fix for Clinton is as simple as whitelisting the
> >  input field set to [0-9]...
> >
> >
> http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
> >
> >  Regards,
> >  --
> >  Kristian Erik Hermansen
> >  --
> >  "Clever ones don't want the future told. They make it."
> >
>

> Yes, you make a good point :-). However, the purpose of the email was
>  that we can't inject anything useful in 5 chars, so the XSS I posted
>  merely corrupts the page a little, and does not execute any scripts on
>  you.  Honest!  Go click the links and see ... Hehe
>
>
>
>
>
>  On 4/26/08, Serg B <sergeslists@...> wrote:
>  > Am I the only one who sees the irony of an XSS related email/question
>  > and example URLs to click? Heh.
>  >
>  >    Serg
>  >
>  >
>  > On Thu, Apr 24, 2008 at 9:36 AM, Kristian Erik Hermansen
>  > <kristian.hermansen@...> wrote:
>  > > Just been noticing all the talk about Obama and Clinton sites and how
>  > >  the media keeps making a big deal out of all these XSS vulns, heh.
>  > >  However, I have a rather technical question about what, if anything,
>  > >  you can do when you have such a small buffer to exploit XSS?  Check
>  > >  out this one I found and is not listed by xssed.com for
>  > >  hillaryclinton.com.  You only get 5 chars to inject.  So, are there
>  > >  any tricks that could possibly be used to expand the limitation via
>  > >  perhaps some unicode kung-fu here?  Dunno, but thought it might be
>  > >  insteresting bring up because this is a common scenario in zip code
>  > >  search fields.  The fix for Clinton is as simple as whitelisting the
>  > >  input field set to [0-9]...
>  > >
>  > >
>  > http://www.hillaryclinton.com/actioncenter/event/?mt=0&d=250&z=%22%3EXSS&s=z&EventSearchAndResults%3A_ctl0.x=0&EventSearchAndResults%3A_ctl0.y=0
>  > >
>  > >  Regards,
>  > >  --
>  > >  Kristian Erik Hermansen
>  > >  --
>  > >  "Clever ones don't want the future told. They make it."
>  > >
>  >
>
>  --
>  Sent from Gmail for mobile | mobile.google.com
>
>
>
>  Kristian Erik Hermansen
>  --
>  "Clever ones don't want the future told. They make it."
>