RSnake 搞的一个小型的XSS WORM的竞赛

[url]http://sla.ckers.org/forum/read.php?2[/url],18790,18823#msg-18823



Posted by: rsnake (IP Logged)

Date: January 04, 2008 04:54AM



Okay folks, new small challenge - no prize, just an exercise in programming skill and because I want to see the results. After reading over the XSS worm thread I got to thinking. We haven't, to my knowledge, ever had a diminutive worm writing contest. We've done it for JS injection and for pulling in remote JS but not for worms. You can submit your code to this thread directly (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. Actual cutoff to submit is Thursday the 10th of January at 7PM GMT.

So here's the contest. The code...

1) must reside in UTF-8 or ISO-8859-1 encoding (nothing exotic please)
2) must self replicate the entire payload to a page called "post.php" as a parameter called "content" on the same domain (must be POSTed to that URL, no GETs please). We'll assume post.php will properly URL unescape your code.
3) must not grow in size after propagation (if your code starts off as n bytes, it must not grow to n+x). We will assume content will get rejected by post.php if it grows beyond n bytes.
4) must run as written (not just a parameter injection - we can infer how to turn it into a parameter injection later)
5) must not use anything from cookie or GET parameter space - every line of your code must reside on the page itself (mimicking stored XSS)
6) must not use knowledge of the DOM unless you name a class or and id and use the class or id. No looking for the n-th script on the page as that will change from site to site.
7) must work in at least Internet Explorer 7.0 and Firefox 2.x
8) must have a payload of "XSS" in an alert box
9) must work in at least Apache 1.3+ and 2+ (considering the dominance in webserver market).
10) must require no user interaction or user interaction that happens on every single page without the user thinking about it (eg: mousing over anywhere in the body of a page)

The fewest bytes to run your code wins. To win the contest, your code must be the most diminutive. That is that the smallest amount of actual characters wins. Similar to the diminutive PERL contests and diminutive munitions contest, EG: [[url]www.cypherspace.org[/url]] I'll write a post about the code when we have a winner.

Contest ends a week from now (Thursday the 10th of January at 7PM GMT). You can submit them within this thread (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. If you aren't sure about the rules or want me to look at your code first to make sure you haven't broken any rules, you can email it to me ahead of time - I won't give advice, other than clarify how any rules have been broken. Have fun guys!

Original post about this contest was here for those who want more information.

- RSnake
Gotta love it. [url]http://ha.ckers.org[/url]