Paid Advertising
web application security lab
« Buy Diggs and Votes on StumbleUpon
Diminutive XSS Worm Contest Drama and Status Update »

Diminutive XSS Worm Replication Contest

For those of you who are familiar with the RSA diminutive munitions project from ages ago, back when it was illegal to export certain crypto systems, and the diminutive PERL contests I’ve enacted a similar contest to write a diminutive self replicating XSS worm (with a non-dangerous payload).

The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS worm propagation. I’m not interested in payloads for this contest, but rather, the actual methods of propagation themselves. We’ve seen the live worm code and all of it is muddied by obfuscation, individual site issues, and the payload itself. I’d rather think cleanly about the most efficient method for propagation where every character matters.

digi7al64 has already posted a sample piece of code, setting the baseline. His code is an impressively small 292 characters. There’s no prize here, however, I will definitely be talking about the winner’s code. The winner will be announced on the 10th after all submissions are in and posted. Visit the thread for more details. This should be interesting for anyone looking at worm propagation issues!

This entry was posted on Friday, January 4th, 2008 at 9:28 am and is filed under XSS, Webappsec. You can leave a response as well.

8 Responses to “Diminutive XSS Worm Replication Contest”

  1. zeno Says:
    January 4th, 2008 at 11:52 am

    Will this help people be more secure? :)

  2. RSnake Says:
    January 4th, 2008 at 12:16 pm

    @zeno - As long as you don’t start haXoring myspace, that’s the general idea. First learn the attack, then defend against it.

  3. Reiners Says:
    January 4th, 2008 at 4:09 pm

    atm the thread is on fire! a new post every 5min and those little worms are getting better and shorter. Very nice contest and good to see the community collaborating. I’m very excited about the winning piece of code :D

  4. Hallvord R. M. Steen Says:
    January 4th, 2008 at 6:36 pm

    I have a couple of contributions but the forum is very slow at sending me the registration confirmation E-mail :-(
    (Perhaps not *very* slow but I should be in bed so I’m impatient.. come on!)

  5. RSnake Says:
    January 5th, 2008 at 9:48 am

    @Hallvord - haha… send me an email with your userID and email address and I’ll make sure your account is active. The mail we send out for some reason often gets caught in spam filters. Good ol overachieving spam filters!

  6. Shawn Lauriat Says:
    January 5th, 2008 at 3:32 pm

    Saw your post go by and it looked like fun. Saw the Register post (http://www.channelregister.co.uk/2008/01/05/worm_replication_contest/ - w/ heated comments, of course) and decided it looked like too much fun to let it go by without giving it a quick go.

  7. Alex Says:
    January 5th, 2008 at 4:18 pm

    Ahh, this must be the reason why I got my activation mail that late. Server has greylisting activated.

  8. thrill Says:
    January 5th, 2008 at 11:52 pm

    Wow.. this contest sure brought out the lurkers.. I am just simply amazed at some of the talent that has been just lurking around the site. Great job guys! Hopefully this will be viewed as a learning experience rather than “hey, look at what those mean hackers are doing!”

    –thrill

Respond here or Discuss On the Forums