|
|
|
|
|
|
by AntonyGarand
1877 days ago
|
|
|
I assume he means the size of the payload remains technically below 32 while the "real" code is larger due to evaluating location.hash.
`eval(location.hash.substring(1))` is 32 characters, but the hash itself can be few kilobytes I used this to merge two tixies a while back, and execute an XSS as proof of concept [0] [0] https://twitter.com/AntoGarand/status/1327101941760086017 |
|
|