Hacker News new | past | comments | ask | show | jobs | submit login

Yeah, I read the article and just now went back and read the Minimal Viable XSS article linked as well. I am also rather puzzled.

This seems to be only useful if you manage to find a website with an XSS flaw and one that also limits the input to 20 characters? Are these situations really common enough to warrant this attack? It all seems rather arbitrary to me.




I'm a rather amateur bug hunter but, yes, some sites do use string length limitations as a way of filtering out dodgy code.

They shouldn't - but they do.

(See https://www.openbugbounty.org/researchers/edent/)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: