pseudo-flaw.net

The Diminutive XSS Worm Replication Contest is set to wrap up tomorrow January 10th at 7PM GMT. The goal is to develop a cross-browser XSS worm in the fewest number of bytes (subject to certain rules). It is part academic exercise, part bragging rights contest. It hasn't been without controversy.

I've been following the results in the sl.ackers.org forums, and there have been some are very intriguing entries posted. Basically, two primary vectors have emerged:

• Using iframe or img with either onload or onerror event handlers to post a form.
• Using XMLHttpRequest to post the content.

The XMLHttpRequest approach is interesting because it allows for silent submissions, but there appear to be issues with properly setting the content-type and URL escaping.

There has been heavy use of innerHTML to create self-referencing code. Both Internet Explorer and Mozilla Firefox browsers will close open tags when using innerHTML to retrieve content. This behaviour causes content to expand when submitted. But, contest rule #3 states that the content cannot grow during propagation which has led to the use of slice method to trim closing tags. For example,

p = document.createElement("p");
alert(p.innerHTML = "<a><b><i>");    // <a><b><i>
alert(p.innerHTML);                  // <a><b><i></i></b></a>
alert(p.innerHTML.slice(0,9));       // <a><b><i>

In my opinion, the growth rule is where the contest may have drifted off course. I can understand not wanting exponential growth, but fixed growth after initial propagation is not necessarily bad - some mutation of worm code can even be desirable. But the rules are the rules, so there isn't much room to quibble.

On a related note, Gareth Heyes has posted some interesting vectors that utilize the DOM that incorporate some of the findings from the contest.

All in all, some very exciting work.