Competition for shortest cross-site scripting worm
"If you know others and know yourself, you will not be imperilled in a hundred battles", wrote Chinese military strategist Sun Tzu way back in the third century B.C. Now, RSnake, a hacker well known among his peers, has announced a competition for the shortest cross-site scripting worm so that everyone can get to know one of main enemies of web 2.0. The winner will not, however, be receiving an award, unless fame counts. RSnake says the idea of such a competition came to him during a discussion about current XSS worms.
The competition ends on Thursday, January 10. Results can already be posted as a commentary to the announcement. Indeed, some already have been. RSnake will also be accepting submissions via e-mail and publishing the code after the competition has ended.
The code has to fulfil certain requirements: for instance, it must not require any user interaction on the website and must work at least with Internet Explorer 7 and Firefox 2.x. It must run on Apache 1.3.x and 2.x web servers at least. There are also some restrictions. Furthermore, the code must not grow during dissemination nor be injected as a parameter. In addition, no data from cookies or GET parameters may be used. For a complete list of requirements, see Diminutive XSS Worm Replication Contest.
This event represents a significant technical challenge, and could lead to wider understanding of the XSS problem. It might even potentially advance the science of defence against XSS. However, open competitions of this nature may soon be a thing of the past. Germany recently passed a law that could be interpreted as prohibiting such public hacking, and, once it comes into force later this year, the comparable "supply" clause of the revised UK Computer Misuse Act might also be invoked to curb the unfettered public dissemination of security exploits that inevitably results.