Important Code Snippets in SAMY
The script injection sets up some key variables. It attempts to grab the victim??™s Mytoken
and friendID tokens. These two tokens are necessary to perform client state changes.
The friendID token is the victim??™s unique user identifier and Mytoken is a cross-site
request forgery (CSRF) prevention token. (CSRF is discussed in detail in Chapter 3.)
// These are some key variables, like the XMLHttpRequest object, the
// "Mytoken" CSRF prevention token, and the victim's "friendID". The
// "Mytoken" and "friendID" are required for the worm to make requests on
// the victim's behalf.
var xmlHttpRequest;
var queryParameterArray = getQueryParameters();
var myTokenParameter = queryParameterArray['Mytoken'];
var friendIdParameter = queryParameterArray['friendID'];
57
The setup code creates key strings to inject the script and attack code into the victim??™s
profile page. An important string to track is the heroCommentWithWorm string because it
contains the script injection and the attack code. When this string is injected into the
victim??™s profile page, the victim will be infected and begin to spread the worm farther.
// The next five variables searches for Samy's code in the current page.
Pages:
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142