alert(document.cookie) with 7 characters, using HPP and automatic entity decoding
PoC (IE 8/9): http://tr3w.net/misc/challenges/ch2.php/?w=URL=URL&w=innerHTML=URL#<img src=x onerror=alert(cookie)>
The trick is: hover the <h1> two times instead of one time. First time,
&w are GET parameters.
URL is replaced by
URL/itself - and IE then decodes the entity
Remember Stefano's, Yosuke's and Gareth's Twitter XSS?
Same effect. As soon as entities in the URL appear, and a URL assignment happens, the browser decodes them.
Then, the GET parameter
w appears of course twice, having the second one overwrite the first one.
Now hovering the headline causes the actual payload to execute - and alert the cookie.
All that is being triggered by
URL=URL as content of the
onmouseover attribute. Seven chars, mission accomplished.