====== Hacking - Exploiting XSS with 20 characters limitation ======
**Cross-Site Scripting (XSS)** is one of the most common vulnerabilities found across a web penetration testing.
However, depending on the injection point, a character limitation problem could be found.
In this post, unicode compatibility is going to be taken to exploit some XSS vulnerabilities.
----
===== Unicode compatibility =====
In **Unicode equivalence** some sequences of code points represent essentially the same character. This feature was introduced in the standard to allow compatibility with preexisting standard character sets. Unicode provides two ways of handling that: **canonical equivalence** and **compatibility**.
* **Canonical equivalence**: Code point sequences are assumed to have the same appearance and meaning when printed or displayed. For example, n + ◌̃ = ñ.
* **Compatible equivalence**: Code point sequences are assumed to have possibly distinct appearances, but the same meaning in some contexts. For example ff character has the equivalent to ff.
----
===== 20 length limitation problem =====
Therefore, surpose a length limitation of a payload is set, and we confirm the Javascript execution with a 20 character payload like this:
But, this is harmless, because we can only pop an alert, without showing the impact behind a XSS.
**Loading an external Javascript** would be perfect and would give us more flexibility to prepare a more complex attack.