Paid Advertising
web application security lab

Diminutive XSS Worm Replication Contest

For those of you who are familiar with the RSA diminutive munitions project from ages ago, back when it was illegal to export certain crypto systems, and the diminutive PERL contests I’ve enacted a similar contest to write a diminutive self replicating XSS worm (with a non-dangerous payload).

The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS worm propagation. I’m not interested in payloads for this contest, but rather, the actual methods of propagation themselves. We’ve seen the live worm code and all of it is muddied by obfuscation, individual site issues, and the payload itself. I’d rather think cleanly about the most efficient method for propagation where every character matters.

digi7al64 has already posted a sample piece of code, setting the baseline. His code is an impressively small 292 characters. There’s no prize here, however, I will definitely be talking about the winner’s code. The winner will be announced on the 10th after all submissions are in and posted. Visit the thread for more details. This should be interesting for anyone looking at worm propagation issues!

8 Responses to “Diminutive XSS Worm Replication Contest”

  1. zeno Says:

    Will this help people be more secure? :)

  2. RSnake Says:

    @zeno - As long as you don’t start haXoring myspace, that’s the general idea. First learn the attack, then defend against it.

  3. Reiners Says:

    atm the thread is on fire! a new post every 5min and those little worms are getting better and shorter. Very nice contest and good to see the community collaborating. I’m very excited about the winning piece of code :D

  4. Hallvord R. M. Steen Says:

    I have a couple of contributions but the forum is very slow at sending me the registration confirmation E-mail :-(
    (Perhaps not *very* slow but I should be in bed so I’m impatient.. come on!)

  5. RSnake Says:

    @Hallvord - haha… send me an email with your userID and email address and I’ll make sure your account is active. The mail we send out for some reason often gets caught in spam filters. Good ol overachieving spam filters!

  6. Shawn Lauriat Says:

    Saw your post go by and it looked like fun. Saw the Register post ( - w/ heated comments, of course) and decided it looked like too much fun to let it go by without giving it a quick go.

  7. Alex Says:

    Ahh, this must be the reason why I got my activation mail that late. Server has greylisting activated.

  8. thrill Says:

    Wow.. this contest sure brought out the lurkers.. I am just simply amazed at some of the talent that has been just lurking around the site. Great job guys! Hopefully this will be viewed as a learning experience rather than “hey, look at what those mean hackers are doing!”