XSS Filters: Beating Length Limits Using Spanned Payloads
A powerful technique for beating length limits is to span an attack payload across multiple different locations where user-controllable input is inserted into the same returned page.
The example uses Hackxor, a web application hacking game.
Consider the following form. Clicking the 'Submit data' button returns a page containing the following:
<input type='hidden' id='hash' name='hash' type='text' value=''>
<input name='text' id='text' value='aaaa'>
<input id='img' name='img' type='text' value='bbbb'>
<input id='sound' name='sound' type='text' value='cccc'>
We can see our input reflected. Additionally, the hidden input field hash is reflected in the response.
However, the input fields are restricted to a length limit of 10.
Our payload is being truncated.
We have used a single line comment to remove the source code between img and sound inputs. This allows us to use a ten byte payload: ;</script>.
Finally, we can reload the page in our browser to confirm that our payload fires.