//GLOBAL VARIABLES/CONFIG var THIS_SCRIPT_NAME = "x.js"; //needed for figuring out the location of this script, so we can take the ctx logo from the same url var XSSFURL; //set below, but figures out the location of this script var TIMEOUT = 1000; //how long before popup pops up var WIDTH = 350; //width of the popup var HEIGHT = 300; //height of the popup var TITLE = "This page is vulnerable to Cross-Site Scripting (XSS)"; var MESSAGE = "This harmless popup was created using remote JavaScript. However, an attacker could easily have used this vulnerability to inject browser-based exploits, hijack user sessions or deface the application." var MESSAGE2 = "The domain of the affected application is: \n" + document.domain; var oXSSf_div; window.setTimeout(createXSSF,TIMEOUT); //pop the box up after 1 second var browser = new Browser(); //determine the browser type for code compatability // Global object to hold drag information. var dragObj = new Object(); function getXSSFBody() { var originalSource = "\

\

x

\

\

\ " + TITLE + "

\

\ " + MESSAGE + "

\

\ " + MESSAGE2 + "

\

\ \ "; return originalSource; } function dumpSource() { document.write(oXSSf_div.outerHTML); } //grab all the script elements in the doc and find this one, use it to grab the location of the script, so we can use it for the ctx logo function findThisScriptsLocation() { var scripts = document.getElementsByTagName('script'); var match = -1; for (i=0; i < scripts.length; i++) { if (scripts[i].src.indexOf("/"+THIS_SCRIPT_NAME) != -1) { //set the answer in xssfurl global var XSSFURL = scripts[i].src.replace("/"+THIS_SCRIPT_NAME,""); } } } function createXSSF() { //adding onkeypress to the doc to listen for Escape addEscapeListener(); //get the location of where this script was called for flexible locations findThisScriptsLocation(); //create the main xssframe div oXSSf_div = create_main_xssDiv(); //lay a shadow over the page layShadow(); //add xss frame to page oXSSf_div.innerHTML = getXSSFBody(); document.body.appendChild(oXSSf_div); } function addEscapeListener() { if (browser.isIE) { document.attachEvent("onkeydown", checkForEscape); } if (browser.isNS) { document.addEventListener("keydown", checkForEscape, true); } } function checkForEscape(e) { if (e.keyCode == '27') { xss_closeframe(); } } function layShadow() { //lay the shadow over the page, opacity is in multiples of 10% var opacity = 1; var oXSSf_shadow = document.createElement('div'); oXSSf_shadow.id = "xssf_shadow"; oXSSf_shadow.style.position = "absolute"; oXSSf_shadow.style.zIndex = "997"; oXSSf_shadow.style.width = "100%"; oXSSf_shadow.style.height = "100%"; oXSSf_shadow.style.backgroundColor = "#000"; oXSSf_shadow.style.opacity = opacity/10; oXSSf_shadow.style.filter = 'alpha(opacity=' + opacity*10 + ')'; document.body.appendChild(oXSSf_shadow); oXSSf_shadow.style.top = 0; oXSSf_shadow.style.left = 0; } function create_main_xssDiv() { var oXSSf_div = document.createElement('div'); oXSSf_div.setAttribute('id', 'xssf_div'); oXSSf_div.onkeypress = "alert(15)"; oXSSf_div.style.position = "absolute"; oXSSf_div.style.zIndex = "998"; oXSSf_div.style.width = WIDTH + "px"; oXSSf_div.style.height = HEIGHT + "px"; oXSSf_div.style.backgroundColor = "#ed1b2f"; oXSSf_div.style.cursor = "move"; oXSSf_div.style.border = "2px solid #FFFFFF"; oXSSf_div.style.padding = "0px"; oXSSf_div.style.top = "100px"; oXSSf_div.style.left = "100px"; oXSSf_div.style.textAlign = "left"; if (browser.isIE) { oXSSf_div.onmousedown=new Function("dragStart(event, 'xssf_div')"); } if (browser.isNS) { oXSSf_div.setAttribute("onmousedown", "dragStart(event, 'xssf_div')"); } return oXSSf_div; } function xss_closeframe() { var xssdiv = document.getElementById('xssf_div'); //remove the alertbox (loop in case the script ran multiple times) while (xssdiv) { document.body.removeChild(xssdiv); xssdiv = document.getElementById('xssf_div'); } var xssshadow = document.getElementById('xssf_shadow'); while (xssshadow) { document.body.removeChild(xssshadow); xssdiv = document.getElementById('xssf_shadow'); } } //The remaining code implements the drag and drop functionality and was written by Mike Hall and is used under the GNU General Public License. //= 0) { this.isIE = true; this.version = parseFloat(ua.substr(i + s.length)); return; } s = "Netscape6/"; if ((i = ua.indexOf(s)) >= 0) { this.isNS = true; this.version = parseFloat(ua.substr(i + s.length)); return; } // Treat any other "Gecko" browser as NS 6.1. s = "Gecko"; if ((i = ua.indexOf(s)) >= 0) { this.isNS = true; this.version = 6.1; return; } } function dragStart(event, id) { var el; var x, y; // If an element id was given, find it. Otherwise use the element being // clicked on. if (id) dragObj.elNode = document.getElementById(id); else { if (browser.isIE) dragObj.elNode = window.event.srcElement; if (browser.isNS) dragObj.elNode = event.target; // If this is a text node, use its parent element. if (dragObj.elNode.nodeType == 3) dragObj.elNode = dragObj.elNode.parentNode; } // Get cursor position with respect to the page. if (browser.isIE) { x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft; y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop; } if (browser.isNS) { x = event.clientX + window.scrollX; y = event.clientY + window.scrollY; } // Save starting positions of cursor and element. dragObj.cursorStartX = x; dragObj.cursorStartY = y; dragObj.elStartLeft = parseInt(dragObj.elNode.style.left, 10); dragObj.elStartTop = parseInt(dragObj.elNode.style.top, 10); if (isNaN(dragObj.elStartLeft)) dragObj.elStartLeft = 0; if (isNaN(dragObj.elStartTop)) dragObj.elStartTop = 0; // Update element's z-index. //dragObj.elNode.style.zIndex = ++dragObj.zIndex; // Capture mousemove and mouseup events on the page. if (browser.isIE) { document.attachEvent("onmousemove", dragGo); document.attachEvent("onmouseup", dragStop); window.event.cancelBubble = true; window.event.returnValue = false; } if (browser.isNS) { document.addEventListener("mousemove", dragGo, true); document.addEventListener("mouseup", dragStop, true); event.preventDefault(); } } function dragGo(event) { var x, y; // Get cursor position with respect to the page. if (browser.isIE) { x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft; y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop; } if (browser.isNS) { x = event.clientX + window.scrollX; y = event.clientY + window.scrollY; } // Move drag element by the same amount the cursor has moved. dragObj.elNode.style.left = (dragObj.elStartLeft + x - dragObj.cursorStartX) + "px"; dragObj.elNode.style.top = (dragObj.elStartTop + y - dragObj.cursorStartY) + "px"; //dragObj.elNode.style.z if (browser.isIE) { window.event.cancelBubble = true; window.event.returnValue = false; } if (browser.isNS) event.preventDefault(); } function dragStop(event) { // Stop capturing mousemove and mouseup events. if (browser.isIE) { document.detachEvent("onmousemove", dragGo); document.detachEvent("onmouseup", dragStop); } if (browser.isNS) { document.removeEventListener("mousemove", dragGo, true); document.removeEventListener("mouseup", dragStop, true); } } //]]>