1

This is my first experience with stackoverflow and I'm afraid my question asks of a lot for a first. I was looking at this thread: Javascript in the address bar - is this malicious? and as you will see SLaks has very kindly deobfuscated the javascript and left us with what appears as the Javascript behind the automatic facebook invite code.

As I'm fairly new to javascript, I was wondering, what other components were needed to get this code to work? You of course have the functions there and they are called by the obfuscated javascript but how exactly?

Would it be possible to replicate this on a page of my own using the information available or is there more to this script I am missing? I am willing to financially assist somebody who could compile a solution for me.

Thank you in advance.

Community
  • 1
  • 1
DoMx
  • 41
  • 1
  • 7
  • Are you looking to hire someone to do it for you or do you want to learn JavaScript so that eventually you can do it? It's not very clear, but stackoverflow is the wrong place for the former. – Russ Cam Apr 14 '10 at 09:49
  • @Russ Cam your right there are too many goody goody white hats on SO. – rook Apr 14 '10 at 16:07
  • My comment isn't intended to be rude (I re-read it and thought it may come across as so). I was merely trying to say if you want to pay someone to do the work, SO is not the right place. – Russ Cam Apr 14 '10 at 16:46

1 Answers1

0

There are plenty of Javascript Obfuscators floating around. By executing javascript in the address bar you are executing with the same context or the "same origin" as the website you are currently visiting. Thus, the rules for exploiting XSS are identical. I recommend studying XSS payloads like the Sammy Worm which affected MySpace. In short, you can use XmlHttpRequest to force the browser into doing your bidding, or you can hijack the session by stealing the "document.cookie".

rook
  • 66,304
  • 38
  • 162
  • 239