simple-hash-xss/script.js at master · rwestergren/simple-hash-xss · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
chrome.storage.sync.get({
    enabled: true,
    }, function(items)
    {
        if(items.enabled)
        {
            var hash_xss_count = 0;

            document.addEventListener('hash_xss_executed', function(e){
               //send message to ext
                hash_xss_count++;
                chrome.extension.sendMessage(hash_xss_count);

                chrome.storage.sync.get(null, function(items)
                {
                    if(items.report)
                    {
                        // Send anayltics
                        var origin = encodeURIComponent(window.top.location.href);
                        var url = "https://www.google-analytics.com/collect?v=1&tid=UA-17761407-7&cid=1&t=event&ec=hash_xss&ea=" + origin;

                        var xmlHttp = new XMLHttpRequest();
                        xmlHttp.open("GET", url, true);
                        xmlHttp.send(null);
                    }

                    if(items.audio)
                    {
                        // Audio notification
                        var url = chrome.extension.getURL('alert.mp3');

                        var markup = '<audio autoplay>' +
                                        '<source src="' + url + '" type="audio/mpeg" />' +
                                        '</audio>';

                        var div = document.createElement('div');
                        div.innerHTML = markup;
                        div.setAttribute('style', "display:none;");
                        document.documentElement.appendChild(div);
                    }
                });

            }, false);

            var payload = '!function(){window.hash_xss_callback=function(){var n=document.createEvent("Event");n.initEvent("hash_xss_executed",!0,!0);document.dispatchEvent(n)}}()';

            // Expose a global callback function to the page
            var iframe = document.createElement('iframe');
            iframe.id = "hash_xss_iframe";
            iframe.setAttribute('style', "display:none;");
            iframe.setAttribute('src',"javascript: top.window.eval.call(top.window,'" + payload + "')");

            document.documentElement.appendChild(iframe);


            // Initially set count to 0
            chrome.extension.sendMessage(0);


            if(location.hash == "")
            {
                location.hash = "#9876'-window.top.hash_xss_callback()-'\"-window.top.hash_xss_callback()-\"";
            }

        }

    });