I think attacker needs at least 66 character #XSS vector to move victim's session cookie(s) to his domain. CAN YOU THINK OF SMALLER VECTOR?
Replying to @soaj1664ashar
@soaj1664ashar http://jsfiddle.net/EkcQ9/ 33 if you don't count domain name
8:25 AM - 11 Jun 2013
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.