├── exercises
    ├── 10
    │   ├── problem.md
    │   └── server.js
    ├── 11
    │   ├── problem.md
    │   └── server.js
    ├── 12
    │   ├── problem.md
    │   └── server.js
    ├── 13
    │   └── problem.md
    ├── 14
    │   ├── problem.md
    │   └── server.js
    ├── 15
    │   ├── problem.md
    │   └── server.js
    ├── 16
    │   ├── problem.md
    │   └── server.js
    ├── 17
    │   ├── server.js
    │   └── problem.md
    ├── 18
    │   └── problem.md
    ├── common
    │   ├── foot.ejs
    │   ├── static
    │   │   ├── bg-stars.gif
    │   │   ├── cornelly.png
    │   │   ├── hrvrdio.png
    │   │   ├── stanfoogle.gif
    │   │   ├── caloogle.js
    │   │   └── caloogle.css
    │   ├── caloogle-logo.ejs
    │   ├── caloogle-home-page.ejs
    │   ├── caloogle-search-page.ejs
    │   ├── head.ejs
    │   ├── head3.ejs
    │   ├── head2.ejs
    │   ├── caloogle-search-page4.ejs
    │   ├── server.js
    │   ├── caloogle-search-page5.ejs
    │   ├── caloogle-search-page2.ejs
    │   ├── caloogle-search-page3.ejs
    │   ├── caloogle-guestbook-page.ejs
    │   └── caloogle.js
    ├── 05
    │   ├── problem.md
    │   └── server.js
    ├── 07
    │   ├── problem.md
    │   └── server.js
    ├── 04
    │   ├── problem.md
    │   └── server.js
    ├── 03
    │   ├── problem.md
    │   └── server.js
    ├── 02
    │   ├── problem.md
    │   └── server.js
    ├── 06
    │   ├── problem.md
    │   └── server.js
    ├── 09
    │   └── problem.md
    ├── 08
    │   ├── problem.md
    │   └── server.js
    ├── exercises.json
    ├── 01
    │   ├── server.js
    │   └── problem.md
    └── 00
    │   └── problem.md
├── static
    ├── home.png
    ├── newtab.png
    ├── workshop.css
    ├── common.js
    └── common.css
├── README.md
├── src
    ├── SURVEY.md
    └── SOLUTIONS.md
├── test
    └── basic.js
├── .gitignore
├── server
    ├── layout.ejs
    └── index.js
└── package.json


/exercises/common/foot.ejs:
--------------------------------------------------------------------------------
1 |     </div>
2 |   </body>
3 | </html>
4 | 


--------------------------------------------------------------------------------
/static/home.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/static/home.png


--------------------------------------------------------------------------------
/static/newtab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/static/newtab.png


--------------------------------------------------------------------------------
/exercises/common/static/bg-stars.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/exercises/common/static/bg-stars.gif


--------------------------------------------------------------------------------
/exercises/common/static/cornelly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/exercises/common/static/cornelly.png


--------------------------------------------------------------------------------
/exercises/common/static/hrvrdio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/exercises/common/static/hrvrdio.png


--------------------------------------------------------------------------------
/exercises/common/static/stanfoogle.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stanford-web-security/assign1/HEAD/exercises/common/static/stanfoogle.gif


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CS 253 Assignment 1 – Journey to the Dark Side 🌘
2 | 
3 | Assignment instructions: https://web.stanford.edu/class/cs253/assign1
4 | 


--------------------------------------------------------------------------------
/exercises/common/static/caloogle.js:
--------------------------------------------------------------------------------
1 | window.sendAnalytics = (...args) => {
2 |   console.log(`Sending ${args} to analytics service...`)
3 | }
4 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-logo.ejs:
--------------------------------------------------------------------------------
1 |  <span class='blue'>Cal</span><span class='red'>o</span><span class='yellow'>o</span><span class='blue'>g</span><span class='green'>l</span><span class='red'>e</span>
2 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-home-page.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head') -%>
 2 | 
 3 | <div class='home-page'>
 4 |   <h1>
 5 |     <%- include('caloogle-logo') %>
 6 |   </h1>
 7 | 
 8 |   <form action='/search'>
 9 |     <input class='searchInput' type='text' name='q' />
10 |     <br />
11 |     <button type='submit'>Search</button>
12 |   </form>
13 | </div>
14 | 
15 | <%- include('foot') -%>
16 | 


--------------------------------------------------------------------------------
/src/SURVEY.md:
--------------------------------------------------------------------------------
 1 | # Assignment 1 Survey Questions (3 points)
 2 | 
 3 | ## Roughly how long did you spend on this assignment?
 4 | 
 5 | TODO: Replace this with your response
 6 | 
 7 | ## What was your favorite part of this assignment and why?
 8 | 
 9 | TODO: Replace this with your response
10 | 
11 | ## What was your least favorite part of this assignment and why?
12 | 
13 | TODO: Replace this with your response
14 | 
15 | ## Any other feedback for this assignment? (optional)
16 | 


--------------------------------------------------------------------------------
/exercises/18/problem.md:
--------------------------------------------------------------------------------
 1 | Congrats, you're all done! ✨
 2 | 
 3 | Now, go take [CS 181](http://cs181.stanford.edu) and reflect on the ethical implications of all your actions thus far! 😁
 4 | 
 5 | ## Survey
 6 | 
 7 | Your feedback matters a lot! This is a brand new course, so please help us improve by answering the survey questions in `src/SURVEY.md`. As a reward, enjoy some easy points!
 8 | 
 9 | <a href='#' onclick="window.postMessage('success', '*')">Click this link to call success()</a> and complete this exercise.
10 | 
11 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-search-page.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head') -%>
 2 | 
 3 | <div class='search-page'>
 4 |   <div class='header clearfix'>
 5 |     <h2 class='logo'>
 6 |       <a href='/'>
 7 |         <%- include('caloogle-logo') %>
 8 |       </a>
 9 |     </h2>
10 | 
11 |     <form action='/search'>
12 |       <input class='searchInput' type='text' name='q' value='<%= q %>' />
13 |       <button type='submit'>Search</button>
14 |     </form>
15 |   </div>
16 | 
17 |   <h3>Results for <%- q %>:</h3>
18 | 
19 |   <div class='results'>
20 |     <% results.forEach(result => { %>
21 |       <p class='result'>
22 |         <a class='title' href='<%= result.url %>'><%= result.title %></a>
23 |         <a class='link' href='<%= result.url %>'><%= result.url %></a>
24 |       </p>
25 |     <% }) %>
26 |   </div>
27 | </div>
28 | 
29 | <%- include('foot') -%>
30 | 


--------------------------------------------------------------------------------
/exercises/common/head.ejs:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang='en'>
 3 |   <head>
 4 |     <meta charset='utf-8' />
 5 |     <meta name='viewport' content='width=device-width, initial-scale=1, viewport-fit=cover' />
 6 |     <link href='https://fonts.googleapis.com/css?family=Share+Tech+Mono&display=swap' rel='stylesheet' />
 7 |     <link rel='stylesheet' href='/common.css' />
 8 |     <link rel='stylesheet' href='/caloogle.css' />
 9 |     <script src='/common.js'></script>
10 |     <script src='/caloogle.js'></script>
11 |   </head>
12 | 
13 |   <body>
14 |     <input type='hidden' class='exercise-id' value='<%= exerciseId %>'>
15 |     <nav class='iframeNav'>
16 |       <div class='home'></div>
17 |       <div class='newtab'></div>
18 |       <form class='urlForm'>
19 |         <input class='url'></div>
20 |       </form>
21 |     </nav>
22 |     <div class='root'>
23 | 


--------------------------------------------------------------------------------
/exercises/common/head3.ejs:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang='en'>
 3 |   <head>
 4 |     <meta charset='utf-8' />
 5 |     <meta name='viewport' content='width=device-width, initial-scale=1, viewport-fit=cover' />
 6 |     <link href='https://fonts.googleapis.com/css?family=Share+Tech+Mono&display=swap' rel='stylesheet' />
 7 |     <link rel='stylesheet' href='/common.css' />
 8 |     <link rel='stylesheet' href='/caloogle.css' />
 9 |     <script src='/common.js'></script>
10 |     <script src='/caloogle.js'></script>
11 |   </head>
12 | 
13 |   <body class='guestbook'>
14 |     <input type='hidden' class='exercise-id' value='<%= exerciseId %>'>
15 |     <nav class='iframeNav'>
16 |       <div class='home'></div>
17 |       <div class='newtab'></div>
18 |       <form class='urlForm'>
19 |         <input class='url'></div>
20 |       </form>
21 |     </nav>
22 |     <div class='root'>
23 | 


--------------------------------------------------------------------------------
/exercises/common/head2.ejs:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang='<%= lang %>'>
 3 |   <head>
 4 |     <meta charset='utf-8' />
 5 |     <meta name='viewport' content='width=device-width, initial-scale=1, viewport-fit=cover' />
 6 |     <link href='https://fonts.googleapis.com/css?family=Share+Tech+Mono&display=swap' rel='stylesheet' />
 7 |     <link rel='stylesheet' href='/common.css' />
 8 |     <link rel='stylesheet' href='/caloogle.css' />
 9 |     <script src='/common.js'></script>
10 |     <script src='/caloogle.js'></script>
11 |   </head>
12 | 
13 |   <body class=<%= lang %>>
14 |     <input type='hidden' class='exercise-id' value='<%= exerciseId %>'>
15 |     <nav class='iframeNav'>
16 |       <div class='home'></div>
17 |       <div class='newtab'></div>
18 |       <form class='urlForm'>
19 |         <input class='url'></div>
20 |       </form>
21 |     </nav>
22 |     <div class='root'>
23 | 


--------------------------------------------------------------------------------
/exercises/05/problem.md:
--------------------------------------------------------------------------------
 1 | They're on to you! They saw your last attack in their server logs and have updated their input sanitization code once again.
 2 | 
 3 | ```js
 4 | router.get('/search', async (req, res) => {
 5 |   let q = req.query.q
 6 |   if (q == null) q = ''
 7 | 
 8 |   let oldQ
 9 |   while (q !== oldQ) {
10 |     oldQ = q
11 |     q = q.replace(/script|SCRIPT/g, '')
12 |   }
13 | 
14 |   const results = await getResults(q)
15 |   res.render('caloogle-search-page', { q, results })
16 | })
17 | ```
18 | 
19 | ## Goal
20 | 
21 | Can you think of a way to defeat their improved sanitization code and get your `<script>` tag into the page using the search input field?
22 | 
23 | <iframe src='http://caloogle.xyz:4050'></iframe>
24 | 
25 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
26 | 
27 | ## Note
28 | 
29 | Your solution must involve a `<script>` tag.
30 | 


--------------------------------------------------------------------------------
/exercises/16/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor holds yet another emergency meeting to plan their response to your last hack. At this point, they should just make their emergency meeting into a regularly scheduled meeting.
 2 | 
 3 | They realize their folly and decide to prevent you from breaking out of the script context by removing the sequence of characters that you must use in order to do that. Namely, `</`. They use a regular expression to do this, but, as usual, there's a bug in it.
 4 | 
 5 | But you know that since you've [hacked the Gibson](https://www.youtube.com/watch?v=vYNnPx8fZBs) before, their puny defenses will be no match for your skillz!!!!11
 6 | 
 7 | ## Goal
 8 | 
 9 | Find the XSS vulnerability in the search input field. You can use any HTML tag to run the `success()` function.
10 | 
11 | <iframe src='http://caloogle.xyz:4160'></iframe>
12 | 
13 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
14 | 


--------------------------------------------------------------------------------
/test/basic.js:
--------------------------------------------------------------------------------
 1 | const test = require('tape')
 2 | const { existsSync, readFileSync } = require('fs')
 3 | const { join, relative } = require('path')
 4 | 
 5 | const ROOT_PATH = join(__dirname, '..')
 6 | const SRC_PATH = join(ROOT_PATH, 'src')
 7 | 
 8 | test('Check that src/ looks reasonable', t => {
 9 |   const paths = [
10 |     'SOLUTIONS.md',
11 |     'SURVEY.md'
12 |   ]
13 | 
14 |   paths
15 |     .map(path => join(SRC_PATH, path))
16 |     .forEach(path => {
17 |       assertExists(t, path)
18 |       assertNoTodo(t, path)
19 |     })
20 | 
21 |   t.end()
22 | })
23 | 
24 | function assertExists (t, path) {
25 |   const relPath = relative(ROOT_PATH, path)
26 |   t.ok(existsSync(path), `ensure ${relPath} exists`)
27 | }
28 | 
29 | function assertNoTodo (t, path) {
30 |   const relPath = relative(ROOT_PATH, path)
31 |   t.ok(
32 |     !readFileSync(path, 'utf8').includes('TODO'),
33 |     `ensure ${relPath} does not contain the string "TODO"`
34 |   )
35 | }
36 | 


--------------------------------------------------------------------------------
/exercises/07/problem.md:
--------------------------------------------------------------------------------
 1 | The consultant is cleverer than you expected and was watching the server logs right when you did the last attack. They spotted your handiwork and were able to react quickly with a fix.
 2 | 
 3 | You know their fix is probably still broken in some way, though. You dive into the code to search for the mistake you know must exist. 😆
 4 | 
 5 | ```js
 6 | router.get('/search', async (req, res) => {
 7 |   let q = req.query.q
 8 |   if (q == null) q = ''
 9 | 
10 |   let oldQ
11 |   while (q !== oldQ) {
12 |     oldQ = q
13 |     q = q.replace(/script|onerror=|onload=/gi, '')
14 |   }
15 | 
16 |   const results = await getResults(q)
17 |   res.render('caloogle-search-page', { q, results })
18 | })
19 | ```
20 | 
21 | ## Goal
22 | 
23 | Find the XSS vulnerability in the search input field. You should **not** use a `<script>` tag in this attack.
24 | 
25 | <iframe src='http://caloogle.xyz:4070'></iframe>
26 | 
27 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
28 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Logs
 2 | logs
 3 | *.log
 4 | npm-debug.log*
 5 | yarn-debug.log*
 6 | yarn-error.log*
 7 | lerna-debug.log*
 8 | 
 9 | # Diagnostic reports (https://nodejs.org/api/report.html)
10 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
11 | 
12 | # Runtime data
13 | pids
14 | *.pid
15 | *.seed
16 | *.pid.lock
17 | 
18 | # Directory for instrumented libs generated by jscoverage/JSCover
19 | lib-cov
20 | 
21 | # Coverage directory used by tools like istanbul
22 | coverage
23 | *.lcov
24 | 
25 | # Compiled binary addons (https://nodejs.org/api/addons.html)
26 | build/Release
27 | 
28 | # Dependency directories
29 | node_modules/
30 | jspm_packages/
31 | 
32 | # Optional npm cache directory
33 | .npm
34 | 
35 | # Optional eslint cache
36 | .eslintcache
37 | 
38 | # Optional REPL history
39 | .node_repl_history
40 | 
41 | # Output of 'npm pack'
42 | *.tgz
43 | 
44 | # Yarn Integrity file
45 | .yarn-integrity
46 | 
47 | # dotenv environment variables file
48 | .env
49 | .env.test
50 | 
51 | # parcel-bundler cache (https://parceljs.org/)
52 | .cache
53 | 


--------------------------------------------------------------------------------
/exercises/04/problem.md:
--------------------------------------------------------------------------------
 1 | After their last defeat, they're getting really frustrated with your attacks.
 2 | 
 3 | They decide to just iterate repeatedly until all your hackery is removed from the input. But there's a problem with their approach.
 4 | 
 5 | ```js
 6 | router.get('/search', async (req, res) => {
 7 |   let q = req.query.q
 8 |   if (q == null) q = ''
 9 | 
10 |   let oldQ
11 |   while (q !== oldQ) {
12 |     oldQ = q
13 |     q = q.replace(/script/g, '')
14 |   }
15 | 
16 |   const results = await getResults(q)
17 |   res.render('caloogle-search-page', { q, results })
18 | })
19 | ```
20 | 
21 | ## Goal
22 | 
23 | Can you think of a way to defeat their improved sanitization code and get your `<script>` tag into the page using the search input field?
24 | 
25 | <iframe src='http://caloogle.xyz:4040'></iframe>
26 | 
27 | Before you move on to the next exercise, remember to copy your "attack input" (the malicious input string, not the URL) into the `SOLUTIONS.md` file.
28 | 
29 | ## Note
30 | 
31 | Your solution must involve a `<script>` tag.
32 | 


--------------------------------------------------------------------------------
/exercises/12/problem.md:
--------------------------------------------------------------------------------
 1 | Struck by a very similar bug ...yet again!
 2 | 
 3 | Your competitor hasn't learned that writing tests for their code to ensure it actually works is an important security practice. Untested code is broken code. One day they'll learn.
 4 | 
 5 | In the meantime, they deploy a fresh fix and cross their fingers that you'll run out of ideas. But they didn't take into account how relentless you are. Taking down your competitors is priority #1 for you. You won't sleep until your startup is a unicorn. #Hustle #Grinding
 6 | 
 7 | After all, your personal motto has always been "No risk, no rari!"
 8 | 
 9 | ## Goals
10 | 
11 | 1. Find the XSS vulnerability in the search input field. You can use any HTML you want to run the `success()` function.
12 | 
13 | 1. Write out the code that you believe the server must be executing to process the input.
14 | 
15 | <iframe src='http://caloogle.xyz:4120'></iframe>
16 | 
17 | Before you move on to the next exercise, remember to copy your "attack input" as well as your server code into the `SOLUTIONS.md` file.
18 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-search-page4.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head2') -%>
 2 | 
 3 | <div class='search-page'>
 4 |   <div class='header clearfix'>
 5 |     <h2 class='logo'>
 6 |       <a href='/'>
 7 |         <%- include('caloogle-logo') %>
 8 |       </a>
 9 |     </h2>
10 | 
11 |     <form action='/search'>
12 |       <input class='searchInput' type='text' name='q' value='<%= rawQ %>' />
13 |       <button type='submit'><%= searchText %></button>
14 |     </form>
15 |   </div>
16 | 
17 |   <p><%= languagesText %>: <a href="<%= enUrl.pathname + enUrl.search %>">English</a> • <a href="<%= esUrl.pathname + esUrl.search %>">Spanish</a> • <a href="<%= deUrl.pathname + deUrl.search %>">German</a></p>
18 | 
19 |   <h3><%= resultsForText %> <%= rawQ %>:</h3>
20 | 
21 |   <div class='results'>
22 |     <% results.forEach(result => { %>
23 |       <p class='result'>
24 |         <a class='title' href='<%= result.url %>'><%= result.title %></a>
25 |         <a class='link' href='<%= result.url %>'><%= result.url %></a>
26 |       </p>
27 |     <% }) %>
28 |   </div>
29 | </div>
30 | 
31 | <%- include('foot') -%>
32 | 


--------------------------------------------------------------------------------
/exercises/03/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor realizes that you've found a way around their hotfix. They quickly jump into action and make another change to defend against your last attack.
 2 | 
 3 | They don't have good engineering practices, so they deploy their fix straight to production without a code review. You should teach them a lesson that they won't soon forget. Hack them so thoroughly that they're sent back to pre-seed stage!
 4 | 
 5 | ```js
 6 | router.get('/search', async (req, res) => {
 7 |   let q = req.query.q
 8 |   if (q == null) q = ''
 9 | 
10 |   q = q.replace(/script/gi, '')
11 | 
12 |   const results = await getResults(q)
13 |   res.render('caloogle-search-page', { q, results })
14 | })
15 | ```
16 | 
17 | ## Goal
18 | 
19 | Can you think of a way to defeat their improved sanitization code and get your `<script>` tag into the page using the search input field?
20 | 
21 | <iframe src='http://caloogle.xyz:4030'></iframe>
22 | 
23 | Before you move on to the next exercise, remember to copy your "attack input" (the malicious input string, not the URL) into the `SOLUTIONS.md` file.
24 | 
25 | ## Note
26 | 
27 | Your solution must involve a `<script>` tag.
28 | 


--------------------------------------------------------------------------------
/exercises/02/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor is on to you! They've figured out what you're up to and they put their best engineering "rockstar" on the case.
 2 | 
 3 | Fortunately for you, their best engineer isn't very good.
 4 | 
 5 | They attempt to sanitize the search query with a call to [`String.prototype.replace`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace). This is the final code they deploy to production:
 6 | 
 7 | ```js
 8 | router.get('/search', async (req, res) => {
 9 |   let q = req.query.q
10 |   if (q == null) q = ''
11 | 
12 |   q = q.replace(/script/i, '')
13 | 
14 |   const results = await getResults(q)
15 |   res.render('caloogle-search-page', { q, results })
16 | })
17 | ```
18 | 
19 | ## Goal
20 | 
21 | You should be able to make a small change to your "attack input" from the last exercise and your Reflected XSS attack should continue to work against their users. Unleash more `<script>` pwnage!
22 | 
23 | <iframe src='http://caloogle.xyz:4020'></iframe>
24 | 
25 | Before you move on to the next exercise, remember to copy your "attack input" (the malicious input string, not the URL) into the `SOLUTIONS.md` file.
26 | 
27 | ## Note
28 | 
29 | Your solution must involve a `<script>` tag.
30 | 


--------------------------------------------------------------------------------
/exercises/common/server.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 |   createServer
 3 | }
 4 | 
 5 | const express = require('express')
 6 | const Router = require('express-promise-router')
 7 | const bodyParser = require('body-parser')
 8 | const { basename, join } = require('path')
 9 | 
10 | const COMMON_PATH = __dirname
11 | const ROOT_PATH = join(__dirname, '..', '..')
12 | 
13 | function createServer (port, serverDirname) {
14 |   const app = express()
15 | 
16 |   app.set('view engine', 'ejs')
17 |   app.set('views', [serverDirname, COMMON_PATH, ROOT_PATH])
18 | 
19 |   const router = new Router()
20 |   app.use(router)
21 | 
22 |   router.use(express.static(join(serverDirname, 'static')))
23 |   router.use(express.static(join(COMMON_PATH, 'static')))
24 |   router.use(express.static(join(ROOT_PATH, 'static')))
25 | 
26 |   router.use(async (req, res) => {
27 |     res.set('X-XSS-Protection', '0')
28 |     res.locals.exerciseId = Number(basename(serverDirname))
29 |     return 'next'
30 |   })
31 | 
32 |   // parse application/x-www-form-urlencoded
33 |   router.use(bodyParser.urlencoded({ extended: false }))
34 | 
35 |   // parse application/json
36 |   router.use(bodyParser.json())
37 | 
38 |   app.listen(port, '127.0.0.1')
39 | 
40 |   return { app, router }
41 | }
42 | 


--------------------------------------------------------------------------------
/exercises/11/problem.md:
--------------------------------------------------------------------------------
 1 | Your last attack showed your competitor the error of their ways. They now realize why they were using `htmlElementEscape()` incorrectly.
 2 | 
 3 | Thanks to you, they have learned that the `htmlElementEscape()` function doesn't work for the values of HTML attributes. It doesn't escape the right set of characters for this context.
 4 | 
 5 | Your competitor's best engineers convene and emergency meeting to figure out what to do. They decide that the best way to resolve the issue is to replace double quote characters (`"`) with the corresponding HTML entity (`&quot;`) so it is not possible to "break out" of the attribute value section.
 6 | 
 7 | But, in their haste, they seem to have forgotten to think of all the cases... too bad for them. There's only one way that they'll learn. Show them! 😈
 8 | 
 9 | ## Goals
10 | 
11 | 1. Find the XSS vulnerability in the search input field. You can use any HTML you want to run the `success()` function.
12 | 
13 | 1. Write out the code that you believe the server must be executing to process the input.
14 | 
15 | <iframe src='http://caloogle.xyz:4110'></iframe>
16 | 
17 | Before you move on to the next exercise, remember to copy your "attack input" as well as your server code into the `SOLUTIONS.md` file.
18 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-search-page5.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head') -%>
 2 | 
 3 | <div class='search-page'>
 4 |   <div class='header clearfix'>
 5 |     <h2 class='logo'>
 6 |       <a href='/'>
 7 |         <%- include('caloogle-logo') %>
 8 |       </a>
 9 |     </h2>
10 | 
11 |     <form action='/search'>
12 |       <input class='searchInput' type='text' name='q' value='<%= rawQ %>' />
13 |       <button type='submit'><%= searchText %></button>
14 |     </form>
15 |   </div>
16 | 
17 |   <p><%= languagesText %>: <a href="<%= enUrl.pathname + enUrl.search %>">English</a> • <a href="<%= esUrl.pathname + esUrl.search %>">Spanish</a> • <a href="<%= deUrl.pathname + deUrl.search %>">German</a></p>
18 | 
19 |   <h3><%= resultsForText %> <%= rawQ %>:</h3>
20 | 
21 |   <div class='results'>
22 |     <% results.forEach(result => { %>
23 |       <p class='result'>
24 |         <a class='title' href='<%= result.url %>'><%= result.title %></a>
25 |         <a class='link' href='<%= result.url %>'><%= result.url %></a>
26 |       </p>
27 |     <% }) %>
28 |   </div>
29 | </div>
30 | 
31 | <script>
32 |   let q = '<%- q %>'
33 |   window.sendAnalytics({
34 |     q,
35 |     screenWidth: window.screen && window.screen.width,
36 |     screenHeight: window.screen && window.screen.height
37 |   })
38 | </script>
39 | 
40 | <%- include('foot') -%>
41 | 


--------------------------------------------------------------------------------
/exercises/06/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor can't believe how successful your attacks have been. They are eager to put an end to this cat-and-mouse game. So, they decide to hire a security consultant to help them fix the problem with their approach once-and-for-all.
 2 | 
 3 | You decide to put your [social engineering](https://en.wikipedia.org/wiki/Social_engineering_(security)) skills to work and see what you can learn about their newly-hired consultant. After a quick phone call, you're able to learn one critical fact about the consultant: they graduated from UC Berkeley. Your fears are assuaged. With renewed confidence, you take another look at their code to find the inevitable bug you know must exist.
 4 | 
 5 | ```js
 6 | router.get('/search', async (req, res) => {
 7 |   let q = req.query.q
 8 |   if (q == null) q = ''
 9 | 
10 |   let oldQ
11 |   while (q !== oldQ) {
12 |     oldQ = q
13 |     q = q.replace(/script/gi, '')
14 |   }
15 | 
16 |   const results = await getResults(q)
17 |   res.render('caloogle-search-page', { q, results })
18 | })
19 | ```
20 | 
21 | ## Goal
22 | 
23 | Find the XSS vulnerability in the search input field. You should **not** use a `<script>` tag in this attack.
24 | 
25 | <iframe src='http://caloogle.xyz:4060'></iframe>
26 | 
27 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
28 | 


--------------------------------------------------------------------------------
/exercises/15/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor is looking to improve their user experience and decides to add some analytics tracking code to their website in a `<script>` tag. They're particularly interested in learning what screen resolutions their users have so they can ensure their site looks good on all the devices that their users may be using.
 2 | 
 3 | They decide to also send the user's query along with the screen size, just in case that turns out to be useful later.
 4 | 
 5 | 
 6 | ```html
 7 | <script>
 8 |   let q = 'my cool search'
 9 |   window.sendAnalytics({
10 |     q,
11 |     screenWidth: window.screen && window.screen.width,
12 |     screenHeight: window.screen && window.screen.height
13 |   })
14 | </script>
15 | ```
16 | 
17 | You suspect that they're using the new foolproof `htmlAttributeEscape()` function to ensure that a user can't "break out" of the quotes in the JavaScript code. After all, the function replaces single quote and double quote characters with their respective HTML entities.
18 | 
19 | Is that actually enough?
20 | 
21 | ## Goal
22 | 
23 | Find the XSS vulnerability in the search input field. You can use any HTML tag to run the `success()` function.
24 | 
25 | ## Tip
26 | 
27 | You may need to look at the HTML source of the `<iframe>`.
28 | 
29 | <iframe src='http://caloogle.xyz:4150'></iframe>
30 | 
31 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
32 | 


--------------------------------------------------------------------------------
/server/layout.ejs:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang='en'>
 3 |   <head>
 4 |     <meta charset='utf-8' />
 5 |     <meta name='viewport' content='width=device-width, initial-scale=1, viewport-fit=cover' />
 6 |     <title><%= title %></title>
 7 |     <link href='https://fonts.googleapis.com/css?family=Share+Tech+Mono&display=swap' rel='stylesheet' />
 8 |     <link rel='stylesheet' href='/common.css' />
 9 |     <link rel='stylesheet' href='/workshop.css' />
10 |     <script src='/common.js'></script>
11 |   </head>
12 | 
13 |   <body>
14 |     <div class='root'>
15 |       <nav>
16 |         <%_ exercises.forEach(exercise => { _%>
17 |           <%_ if (exercise.heading) { _%>
18 |             <div class='title'>
19 |               <%= exercise.name %>
20 |             </div>
21 |           <%_ } else { _%>
22 |             <%_ let cls = '' _%>
23 |             <%_ if (exercise.id < config.currentExcercise) cls += ' done' _%>
24 |             <%_ if (exercise.id > config.currentExcercise) cls += ' disabled' _%>
25 |             <a
26 |               data-exercise='<%= exercise.id %>'
27 |               class='exercise <%= cls %>'
28 |               href='/<%= exercise.id %>'
29 |             >
30 |               <%= exercise.id %>. <%= exercise.name %>
31 |             </a>
32 |           <%_ } _%>
33 |         <%_ }) _%>
34 |       </nav>
35 | 
36 |       <main>
37 |         <%- content %>
38 |       </main>
39 |     </div>
40 |   </body>
41 | </html>
42 | 


--------------------------------------------------------------------------------
/exercises/09/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor is fed up with the lackluster results from the UC Berkeley graduate and decide to hire a Stanford student who has completed [CS 253: Web Security](https://cs253.stanford.edu) instead. They are able to quickly implement a foolproof `htmlElementEscape()` function which defeats your shenanigans once and for all.
 2 | 
 3 | Please read the code for `htmlElementEscape()` and ensure you understand how it works in detail.
 4 | 
 5 | ```js
 6 | function htmlElementEscape (str) {
 7 |   return str
 8 |     // This is not for security, but because '&' is the HTML escape character
 9 |     // and we don't want the user's input to be treated as an escape sequence.
10 |     .replace(/&/g, '&amp;')
11 | 
12 |     // Without the '<' character, no HTML tags an be created.
13 |     .replace(/</g, '&lt;')
14 | }
15 | ```
16 | 
17 | Now all your competitor needs to do is call this function whenever they put untrusted data directly into the HTML body somewhere, i.e. tags like `div`, `p`, `b`, `td`, etc.
18 | 
19 | So, their updated route handler code looks like this now:
20 | 
21 | ```js
22 | router.get('/search', async (req, res) => {
23 |   let q = req.query.q
24 |   if (q == null) q = ''
25 | 
26 |   q = htmlElementEscape(q)
27 | 
28 |   const results = await getResults(q)
29 |   res.render('caloogle-search-page', { q, results })
30 | })
31 | ```
32 | 
33 | It seems like we're out of luck for now...
34 | 
35 | <a href='#' onclick="window.postMessage('success', '*')">Click this link to call success()</a> and complete this exercise.
36 | 


--------------------------------------------------------------------------------
/exercises/08/problem.md:
--------------------------------------------------------------------------------
 1 | The security consultant is getting fed up with all these cat-and-mouse games. They realize that if they prevent you from using certain "critical" characters then all your attacks would stop working.
 2 | 
 3 | They also realize that you've been stealing their source code which has made it much easier for you to figure out the weaknesses in their system. So they've shut down that attack vector. You're going to have to rely on your ingenuity to figure out what their code is doing by trying out different inputs and seeing what ends up in the resulting page's HTML.
 4 | 
 5 | ```js
 6 | router.get('/search', async (req, res) => {
 7 |   // TOP SECRET –– REDACTED
 8 | })
 9 | ```
10 | 
11 | Note: Do not attempt to look at the server's **server-side source code** to see what the `/search` route handler is doing. This is not in the spirit of this exercise. You can, of course, continue to view the HTML source of the pages that the server sends back to the client.
12 | 
13 | ## Goals
14 | 
15 | 1. Find the XSS vulnerability in the search input field. You can use any HTML tag you like.
16 | 
17 | 1. Write out the code that you believe the server must be executing to process the input.
18 | 
19 | ## Tip
20 | 
21 | Try submitting various inputs and then look at the HTML source of the `<iframe>` to figure out what their sanitization code must be doing.
22 | 
23 | <iframe src='http://caloogle.xyz:4080'></iframe>
24 | 
25 | Before you move on to the next exercise, remember to copy your "attack input" as well as your server code into the `SOLUTIONS.md` file.
26 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-search-page2.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head') -%>
 2 | 
 3 | <div class='search-page'>
 4 |   <div class='header clearfix'>
 5 |     <h2 class='logo'>
 6 |       <a href='/'>
 7 |         <%- include('caloogle-logo') %>
 8 |       </a>
 9 |     </h2>
10 | 
11 |     <form action='/search'>
12 |       <input class='searchInput' type='text' name='q' value='<%= rawQ %>' />
13 |       <button type='submit'>Search</button>
14 |     </form>
15 |   </div>
16 | 
17 |   <h3>Results for <%= rawQ %>:</h3>
18 | 
19 |   <p>Our results are the best! If you don't believe us check out the competition:</p>
20 | 
21 |   <ul class='competition'>
22 |     <li>
23 |       <a href="https://www.youtube.com/watch?v=pxw-5qfJ1dk" target="_blank">
24 |         <img src="Stanfoogle.gif" alt="Search for <%- q %> on Stanfoogle" />
25 |       </a>
26 |     </li>
27 | 
28 |     <li>
29 |       <a href="https://www.youtube.com/watch?v=kxopViU98Xo" target="_blank">
30 |         <img src="cornelly.png" alt="Search for <%- q %> on Cornell.ly" />
31 |       </a>
32 |     </li>
33 | 
34 |     <li>
35 |       <a href="https://www.youtube.com/watch?v=SQoA_wjmE9w" target="_blank">
36 |         <img src="hrvrdio.png" alt="Search for <%- q %> on Hrvrd.io" />
37 |       </a>
38 |     </li>
39 |   </ul>
40 | 
41 |   <div class='results'>
42 |     <% results.forEach(result => { %>
43 |       <p class='result'>
44 |         <a class='title' href='<%= result.url %>'><%= result.title %></a>
45 |         <a class='link' href='<%= result.url %>'><%= result.url %></a>
46 |       </p>
47 |     <% }) %>
48 |   </div>
49 | </div>
50 | 
51 | <%- include('foot') -%>
52 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-search-page3.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head') -%>
 2 | 
 3 | <div class='search-page'>
 4 |   <div class='header clearfix'>
 5 |     <h2 class='logo'>
 6 |       <a href='/'>
 7 |         <%- include('caloogle-logo') %>
 8 |       </a>
 9 |     </h2>
10 | 
11 |     <form action='/search'>
12 |       <input class='searchInput' type='text' name='q' value='<%= rawQ %>' />
13 |       <button type='submit'>Search</button>
14 |     </form>
15 |   </div>
16 | 
17 |   <h3>Results for <%= rawQ %>:</h3>
18 | 
19 |   <p>Our results are the best! If you don't believe us check out the competition:</p>
20 | 
21 |   <ul class='competition'>
22 |     <li>
23 |       <a href="https://www.youtube.com/watch?v=pxw-5qfJ1dk" target="_blank">
24 |         <img src="Stanfoogle.gif" alt="Search for <%- q %> on Stanfoogle" />
25 |       </a>
26 |     </li>
27 | 
28 |     <li>
29 |       <a href="https://www.youtube.com/watch?v=kxopViU98Xo" target="_blank">
30 |         <img src="cornelly.png" alt="Search for <%- q %> on Cornell.ly" />
31 |       </a>
32 |     </li>
33 | 
34 |     <li>
35 |       <a href="https://www.youtube.com/watch?v=SQoA_wjmE9w" target="_blank">
36 |         <img src="hrvrdio.png" alt='Search for <%- q %> on Hrvrd.io' />
37 |       </a>
38 |     </li>
39 |   </ul>
40 | 
41 |   <div class='results'>
42 |     <% results.forEach(result => { %>
43 |       <p class='result'>
44 |         <a class='title' href='<%= result.url %>'><%= result.title %></a>
45 |         <a class='link' href='<%= result.url %>'><%= result.url %></a>
46 |       </p>
47 |     <% }) %>
48 |   </div>
49 | </div>
50 | 
51 | <%- include('foot') -%>
52 | 


--------------------------------------------------------------------------------
/exercises/exercises.json:
--------------------------------------------------------------------------------
 1 | [
 2 |   { "heading": true, "name": "Journey to the Dark Side" },
 3 | 
 4 |   { "id": 0, "server": false, "name": "Welcome" },
 5 | 
 6 |   { "heading": true, "name": "Cross Site Scripting into HTML tags" },
 7 | 
 8 |   { "id": 1, "name": "A Truly Disruptive Startup" },
 9 |   { "id": 2, "name": "No Script Allowed" },
10 |   { "id": 3, "name": "One More Time, Like You Mean It" },
11 |   { "id": 4, "name": "An Open-and-Shut Case" },
12 |   { "id": 5, "name": "Time to Mix Things Up" },
13 |   { "id": 6, "name": "A Picture is Worth a Thousand Words" },
14 |   { "id": 7, "name": "Between a Rock And a Hard Place" },
15 |   { "id": 8, "name": "Angle of Death" },
16 |   { "id": 9, "server": false, "name": "All in a Day's Work" },
17 | 
18 |   { "heading": true, "name": "Cross Site Scripting into HTML Attributes" },
19 | 
20 |   { "id": 10, "name": "In the Wrong Place at the Wrong Time" },
21 |   { "id": 11, "name": "You Can't Win 'em All" },
22 |   { "id": 12, "name": "When All is Said and Done" },
23 |   { "id": 13, "server": false, "name": "When You Want a Job Done Right" },
24 |   { "id": 14, "name": "Here Today and Gone Tomorrow" },
25 | 
26 |   { "heading": true, "name": "Cross Site Scripting into <script> Tags" },
27 | 
28 |   { "id": 15, "name": "The Early Bird Catches the Worm" },
29 |   { "id": 16, "name": "Tying Up Loose Ends" },
30 | 
31 |   { "heading": true, "name": "Cross Site Scripting into Event Handlers" },
32 | 
33 |   { "id": 17, "name": "Take a Page Out of Their Book" },
34 | 
35 |   { "heading": true, "name": "Congrats" },
36 | 
37 |   { "id": 18, "server": false, "name": "A Penny For Your Thoughts" }
38 | ]
39 | 


--------------------------------------------------------------------------------
/exercises/14/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor realizes their mistake and quickly fixes it. All is well for a while.
 2 | 
 3 | But soon they have another new feature lanuch. They've added support for the Spanish and German languages to the search page. They're clearly intent on expanding their reach to the international market.
 4 | 
 5 | However, a new feature usually means lots of new code. And lots of new code means lots of new potential bugs. You decide to take a closer look at the new language feature they added to see what you can find.
 6 | 
 7 | On an unrelated note, today you had a brief moment of doubt about continually attacking your competitor's websites. You wondered if it was actually a good idea. But the moment was brief and soon your good sense returns. You put on your black hat, open the DevTools, and [start some hacking](https://www.youtube.com/watch?v=0PxTAn4g20U).
 8 | 
 9 | ## Goal
10 | 
11 | Find the XSS vulnerability in their code. Unlike previous exercises, it may not be enough to simply type into the search input. You may need to modify the URL itself.
12 | 
13 | Please save the **attack URL** that causes an XSS when the victim visits it.
14 | 
15 | ## Tip
16 | 
17 | If you've found a solution that works, you should be able to paste this **attack URL** into a new tab and see the attack execute.
18 | 
19 | Lesson learned: even if a server would never generate an vulnerable URL and place it into the HTML, that's no guarantee that an attacker won't find this vulnerable URL and entice users to visit it somehow.
20 | 
21 | <iframe src='http://caloogle.xyz:4140'></iframe>
22 | 
23 | Before you move on to the next exercise, remember to copy your **attack URL** into the `SOLUTIONS.md` file.
24 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "assign1",
 3 |   "description": "assign1",
 4 |   "version": "1.0.0",
 5 |   "author": {
 6 |     "name": "Feross Aboukhadijeh",
 7 |     "email": "feross@feross.org",
 8 |     "url": "https://feross.org"
 9 |   },
10 |   "bugs": {
11 |     "url": "https://github.com/stanford-web-security/discussion/issues"
12 |   },
13 |   "dependencies": {
14 |     "application-config": "^1.0.1",
15 |     "body-parser": "^1.19.0",
16 |     "cors": "^2.8.5",
17 |     "ejs": "^2.7.1",
18 |     "express": "^4.17.1",
19 |     "express-promise-router": "^3.0.3",
20 |     "got": "^9.6.0",
21 |     "minimist": "^1.2.0",
22 |     "open": "^6.4.0",
23 |     "remark": "^11.0.1",
24 |     "remark-external-links": "^5.0.0",
25 |     "remark-highlight.js": "^5.1.1",
26 |     "remark-html": "^10.0.0",
27 |     "remark-preset-lint-recommended": "^3.0.3"
28 |   },
29 |   "devDependencies": {
30 |     "nodemon": "^1.19.2",
31 |     "snazzy": "^8.0.0",
32 |     "standard": "^14.2.0",
33 |     "standard-markdown": "^5.1.0",
34 |     "tap-spec": "^5.0.0",
35 |     "tape": "^4.11.0"
36 |   },
37 |   "homepage": "https://cs253.stanford.edu",
38 |   "keywords": [],
39 |   "license": "MIT",
40 |   "main": "server/index.js",
41 |   "private": true,
42 |   "repository": {
43 |     "type": "git",
44 |     "url": "git://github.com/stanford-web-security/assign1.git"
45 |   },
46 |   "scripts": {
47 |     "lint": "standard | snazzy && standard-markdown **/*.md",
48 |     "lint-fix": "standard --fix | snazzy && standard-markdown **/*.md --fix",
49 |     "start": "node server",
50 |     "test": "npm run lint && tape test/*.js | tap-spec",
51 |     "watch": "nodemon --ext js,json,css,ejs,md -- --no-open"
52 |   }
53 | }
54 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle-guestbook-page.ejs:
--------------------------------------------------------------------------------
 1 | <%- include('head3') -%>
 2 | 
 3 | <div class='guestbook-page'>
 4 |   <h1>
 5 |     <%- include('caloogle-logo') %>
 6 |   </h1>
 7 | 
 8 |   <h2><marquee>Welcome to our Guestbook</marquee></h2>
 9 | 
10 |   <form class='animated pulse infinite commentForm'>
11 |     <h2>Post a comment</h2>
12 |     <input class='commentInput' type='text' name='comment' />
13 |     <br />
14 |     <button type='submit'>Submit Comment</button>
15 |   </form>
16 | 
17 |   <br><br>
18 | 
19 |   <h2>Comments</h2>
20 |   <%_ comments.forEach(comment => { _%>
21 |     <p onmouseover='wiggle(<%= comment.id %>)'>
22 |       <%= comment.text %>
23 |     </p>
24 |   <%_ }) _%>
25 | 
26 |   <script>
27 |     window.wiggle = (id) => {
28 |       const e = window.event
29 | 
30 |       console.log(`wiggling comment ${id}`)
31 | 
32 |       e.target.classList.add('animated', 'jello')
33 |       setTimeout(() => {
34 |         e.target.classList.remove('animated', 'jello')
35 |       }, 1000)
36 |     }
37 | 
38 |     const $commentForm = document.querySelector('.commentForm')
39 |     const $commentInput = document.querySelector('.commentInput')
40 | 
41 |     $commentForm.addEventListener('submit', async e => {
42 |       e.preventDefault()
43 | 
44 |       const comment = {
45 |         text: $commentInput.value,
46 |         id: null // let server fill this in
47 |       }
48 | 
49 |       await window.fetch('/comment', {
50 |         method: 'POST',
51 |         headers: {
52 |           'Content-Type': 'application/json'
53 |         },
54 |         body: JSON.stringify(comment)
55 |       })
56 | 
57 |       window.location.reload()
58 |     })
59 |   </script>
60 | </div>
61 | 
62 | <%- include('foot') -%>
63 | 


--------------------------------------------------------------------------------
/exercises/13/problem.md:
--------------------------------------------------------------------------------
 1 | Fed up with the lackluster results defending against your attacks, your competitor hires a Stanford student who has completed [CS 253: Web Security](https://cs253.stanford.edu) again. Later, you'll have to have a talk with these students about working for your enemies.
 2 | 
 3 | In the meantime, your competitors is able to implement a foolproof `htmlAttributeEscape()` function which defeats you for now... 😔
 4 | 
 5 | Please read the code for `htmlAttributeEscape()` and ensure you understand how it works in detail.
 6 | 
 7 | ```js
 8 | function htmlAttributeEscape (str) {
 9 |   return str
10 |     // This is not for security, but because '&' is the HTML escape character
11 |     // and we don't want the user's input to be treated as an escape sequence.
12 |     .replace(/&/g, '&amp;')
13 | 
14 |     // Without the single quote character, the attacker cannot escape from
15 |     // inside a single-quoted HTML attribute.
16 |     .replace(/'/g, '&apos;')
17 | 
18 |     // Without the double quote character, the attacker cannot escape from
19 |     // inside a double-quoted HTML attribute.
20 |     .replace(/"/g, '&quot;')
21 | }
22 | ```
23 | 
24 | Now all your competitor needs to do is call this function whenever they put untrusted data directly into HTML attributes i.e. `<div class='UNTRUSED INPUT HERE'>`.
25 | 
26 | So, their updated route handler code looks like this now:
27 | 
28 | ```js
29 | router.get('/search', async (req, res) => {
30 |   let q = req.query.q
31 |   if (q == null) q = ''
32 | 
33 |   q = htmlAttributeEscape(q)
34 | 
35 |   const results = await getResults(q)
36 |   res.render('caloogle-search-page', { q, results })
37 | })
38 | ```
39 | 
40 | It seems like we're out of luck for now...
41 | 
42 | <a href='#' onclick="window.postMessage('success', '*')">Click this link to call success()</a> and complete this exercise.
43 | 


--------------------------------------------------------------------------------
/exercises/10/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor's `htmlElementEscape()` function is working quite well and you haven't been able to attack their users in the wild ever since they deployed it. It's a lot harder to disrupt the status quo like world-changing startup when you can't XSS your competitors. Now, you're beginning to worry that you might not be able to get that next round of funding. This is a huge bummer.
 2 | 
 3 | Fortunately, your competitor just deployed a new version of their site that includes a brand new feature. Perhaps there's a new XSS vulnerability in it?
 4 | 
 5 | The feature is called "Competitor Comparison" and it includes links to competitor search engines so that users can compare search results and decide which search engine is best. Clearly, they feel pretty confident that their results are the best.
 6 | 
 7 | They appear to be using the foolproof `htmlElementEscape()` function written for them by the Stanford CS 253 student to generate the HTML for these links so you think they're guaranteed to be safe:
 8 | 
 9 | ```js
10 | router.get('/search', async (req, res) => {
11 |   let q = req.query.q
12 |   if (q == null) q = ''
13 | 
14 |   q = htmlElementEscape(q)
15 | 
16 |   const results = await getResults(q)
17 |   res.render('caloogle-search-page', { q, results })
18 | })
19 | ```
20 | 
21 | But upon closer inspection, it appears that they're not using the function correctly. Time to teach them another lesson!
22 | 
23 | ## Goal
24 | 
25 | Find the XSS vulnerability in the search input field. You can use any HTML you want to run the `success()` function.
26 | 
27 | ## Tip
28 | 
29 | Try submitting various inputs and then look at the HTML source of the `<iframe>` to figure out how the "sanitized" user input interacts with the context of the HTML source.
30 | 
31 | <iframe src='http://caloogle.xyz:4100'></iframe>
32 | 
33 | Before you move on to the next exercise, remember to copy your "attack input" into the `SOLUTIONS.md` file.
34 | 


--------------------------------------------------------------------------------
/exercises/01/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4010, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const results = await getResults(q)
42 |   res.render('caloogle-search-page', { q, results })
43 | })
44 | 


--------------------------------------------------------------------------------
/exercises/02/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4020, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   q = q.replace(/script/i, '')
42 | 
43 |   const results = await getResults(q)
44 |   res.render('caloogle-search-page', { q, results })
45 | })
46 | 


--------------------------------------------------------------------------------
/exercises/03/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4030, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   q = q.replace(/script/gi, '')
42 | 
43 |   const results = await getResults(q)
44 |   res.render('caloogle-search-page', { q, results })
45 | })
46 | 


--------------------------------------------------------------------------------
/exercises/08/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4080, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   q = q.replace(/</, '').replace(/>/, '')
42 | 
43 |   const results = await getResults(q)
44 |   res.render('caloogle-search-page', { q, results })
45 | })
46 | 


--------------------------------------------------------------------------------
/exercises/11/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4110, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const rawQ = q
42 |   q = q.replace(/"/, '&quot;')
43 | 
44 |   const results = await getResults(q)
45 |   res.render('caloogle-search-page2', { q, rawQ, results })
46 | })
47 | 


--------------------------------------------------------------------------------
/exercises/12/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4120, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const rawQ = q
42 |   q = q.replace(/"/g, '&quot;')
43 | 
44 |   const results = await getResults(q)
45 |   res.render('caloogle-search-page3', { q, rawQ, results })
46 | })
47 | 


--------------------------------------------------------------------------------
/exercises/10/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults, htmlElementEscape } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4100, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const rawQ = q
42 |   q = htmlElementEscape(q)
43 | 
44 |   const results = await getResults(q)
45 |   res.render('caloogle-search-page2', { q, rawQ, results })
46 | })
47 | 


--------------------------------------------------------------------------------
/exercises/04/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4040, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   let oldQ
42 |   while (q !== oldQ) {
43 |     oldQ = q
44 |     q = q.replace(/script/g, '')
45 |   }
46 | 
47 |   const results = await getResults(q)
48 |   res.render('caloogle-search-page', { q, results })
49 | })
50 | 


--------------------------------------------------------------------------------
/exercises/06/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4060, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   let oldQ
42 |   while (q !== oldQ) {
43 |     oldQ = q
44 |     q = q.replace(/script/gi, '')
45 |   }
46 | 
47 |   const results = await getResults(q)
48 |   res.render('caloogle-search-page', { q, results })
49 | })
50 | 


--------------------------------------------------------------------------------
/exercises/05/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4050, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   let oldQ
42 |   while (q !== oldQ) {
43 |     oldQ = q
44 |     q = q.replace(/script|SCRIPT/g, '')
45 |   }
46 | 
47 |   const results = await getResults(q)
48 |   res.render('caloogle-search-page', { q, results })
49 | })
50 | 


--------------------------------------------------------------------------------
/exercises/07/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4070, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   let oldQ
42 |   while (q !== oldQ) {
43 |     oldQ = q
44 |     q = q.replace(/script|onerror=|onload=/gi, '')
45 |   }
46 | 
47 |   const results = await getResults(q)
48 |   res.render('caloogle-search-page', { q, results })
49 | })
50 | 


--------------------------------------------------------------------------------
/exercises/14/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults, getLanguageVarsFromRequest } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4140, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const rawQ = q
42 | 
43 |   const languageVars = getLanguageVarsFromRequest(req)
44 | 
45 |   const results = await getResults(q)
46 |   res.render('caloogle-search-page4', {
47 |     rawQ,
48 |     results,
49 |     ...languageVars
50 |   })
51 | })
52 | 


--------------------------------------------------------------------------------
/exercises/15/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const { getResults, htmlAttributeEscape, getLanguageVarsFromRequest } = require('../common/caloogle')
30 | 
31 | const { router } = createServer(4150, __dirname)
32 | 
33 | router.get('/', async (req, res) => {
34 |   res.render('caloogle-home-page')
35 | })
36 | 
37 | router.get('/search', async (req, res) => {
38 |   let q = req.query.q
39 |   if (q == null) q = ''
40 | 
41 |   const rawQ = q
42 |   q = htmlAttributeEscape(q)
43 | 
44 |   const languageVars = getLanguageVarsFromRequest(req)
45 | 
46 |   const results = await getResults(q)
47 |   res.render('caloogle-search-page5', {
48 |     q,
49 |     rawQ,
50 |     results,
51 |     ...languageVars
52 |   })
53 | })
54 | 


--------------------------------------------------------------------------------
/exercises/16/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | const {
30 |   getResults,
31 |   htmlAttributeEscape,
32 |   getLanguageVarsFromRequest
33 | } = require('../common/caloogle')
34 | 
35 | const { router } = createServer(4160, __dirname)
36 | 
37 | router.get('/', async (req, res) => {
38 |   res.render('caloogle-home-page')
39 | })
40 | 
41 | router.get('/search', async (req, res) => {
42 |   let q = req.query.q
43 |   if (q == null) q = ''
44 | 
45 |   const rawQ = q
46 |   q = htmlAttributeEscape(q).replace(/<\//g, '')
47 | 
48 |   const languageVars = getLanguageVarsFromRequest(req)
49 | 
50 |   const results = await getResults(q)
51 |   res.render('caloogle-search-page5', {
52 |     q,
53 |     rawQ,
54 |     results,
55 |     ...languageVars
56 |   })
57 | })
58 | 


--------------------------------------------------------------------------------
/exercises/common/static/caloogle.css:
--------------------------------------------------------------------------------
  1 | :root {
  2 |   --blue: #4285F4;
  3 |   --green: #34A853;
  4 |   --yellow: #FBBC05;
  5 |   --red: #EA4335;
  6 | }
  7 | 
  8 | body {
  9 |   padding: 20px;
 10 | }
 11 | 
 12 | h1 {
 13 |   font-size: 50px;
 14 | }
 15 | 
 16 | .searchInput {
 17 |   border-radius: 9999px;
 18 |   outline: none;
 19 |   border: 2px solid black;
 20 |   font-size: 16px;
 21 |   padding: 5px 10px;
 22 |   width: 100%;
 23 |   max-width: 500px;
 24 | }
 25 | 
 26 | .searchInput:focus, .searchInput:active {
 27 |   border: 2px solid var(--blue);
 28 | }
 29 | 
 30 | button {
 31 |   font-size: 16px;
 32 |   margin: 15px 0;
 33 | }
 34 | 
 35 | .blue {
 36 |   color: var(--blue);
 37 | }
 38 | 
 39 | .green {
 40 |   color: var(--green);
 41 | }
 42 | 
 43 | .yellow {
 44 |   color: var(--yellow);
 45 | }
 46 | 
 47 | .red {
 48 |   color: var(--red);
 49 | }
 50 | 
 51 | .home-page {
 52 |   text-align: center;
 53 | }
 54 | 
 55 | .search-page {
 56 |   margin-left: auto;
 57 |   margin-right: auto;
 58 |   width: 100%;
 59 |   max-width: 800px;
 60 | }
 61 | 
 62 | .search-page .header > * {
 63 |   float: left;
 64 | }
 65 | 
 66 | .search-page .logo {
 67 |   width: 130px;
 68 |   margin: 15px 0;
 69 | }
 70 | 
 71 | .search-page .logo a {
 72 |   text-decoration: none;
 73 | }
 74 | 
 75 | .search-page form {
 76 |   width: calc(100% - 130px);
 77 | }
 78 | 
 79 | .search-page input {
 80 |   width: calc(100% - 110px);
 81 | }
 82 | 
 83 | .search-page button {
 84 |   width: 100px;
 85 | }
 86 | 
 87 | .search-page .result {
 88 |   margin: 20px 0;
 89 | }
 90 | 
 91 | .search-page .result .link {
 92 |   color: green;
 93 |   display: block;
 94 |   text-decoration: none;
 95 |   overflow-wrap: break-word;
 96 | }
 97 | 
 98 | .search-page .result .title {
 99 |   font-size: 16px;
100 |   font-weight: bold;
101 |   color: #1a0dab;
102 |   text-decoration: none;
103 | }
104 | 
105 | .competition img {
106 |   width: 150px;
107 | }
108 | 
109 | .searchInput {
110 |   border-radius: 9999px;
111 |   outline: none;
112 |   border: 2px solid black;
113 |   font-size: 16px;
114 |   padding: 5px 10px;
115 |   width: 100%;
116 |   max-width: 500px;
117 | }
118 | 
119 | .searchInput:focus, .searchInput:active {
120 |   border: 2px solid var(--blue);
121 | }
122 | 
123 | body.guestbook {
124 |   background: url('bg-stars.gif');
125 |   color: white;
126 | }
127 | 
128 | div.guestbook-page {
129 |   text-align: center;
130 | }
131 | 
132 | div.guestbook-page input {
133 |   box-shadow: inset 0 0 10px #000000;
134 |   border-radius: 999px;
135 |   font-size: 20px;
136 |   padding: 15px;
137 |   width: 400px;
138 | }
139 | 


--------------------------------------------------------------------------------
/exercises/01/problem.md:
--------------------------------------------------------------------------------
 1 | You're the founder of an innovative [world-changing startup](https://tiffzhang.com/startup/)! It has something to do with blockchain in the cloud. It's like Uber, but for cats. Or, maybe it's like Airbnb, but for gamification. It's social, mobile, and local. The tech press says that it's disruptive and revolutionary. Really, it has everything that a user could want. But you're still iterating in stealth mode using the Lean Startup™️ method until you find product-market fit and become a unicorn! 🦄
 2 | 
 3 | But... one day, out of nowhere, disaster strikes! You see that your biggest competitor has released a product that is just like what you've been building. But they beat you to market!
 4 | 
 5 | You suspect that they might have cut some corners when it comes to security in order to release their product so quickly. Not a good idea. You decide to put the "hacker" into "growth hacker" and teach them a lesson about taking web security seriously.
 6 | 
 7 | Perhaps if your competitor sees their users getting attacked in the wild, you can convince them to unlaunch their site. This would give your team the much-needed time they need to launch your superior product! 😈
 8 | 
 9 | You decide to check out their website and look for a Reflected XSS vulnerability.
10 | 
11 | ## Goal
12 | 
13 | Find a way to inject a `<script>` tag into your competitor's site. Once you find a way to execute code on their site, you should call the `success()` function. If you've done it correctly, you should see a browser alert telling you that you succeeded.
14 | 
15 | <iframe src='http://caloogle.xyz:4010'></iframe>
16 | 
17 | Since this is a Reflected XSS attack, take note of the fact that the URL of the victim site contains a URL-encoded version of your "attack input".
18 | 
19 | If you were truly evil, you could share that URL on social media and when innocent users click the link, your attack code should execute in their browsers, wreaking havoc. You could exfiltrate their cookies and log in as them, or take actions on their account, including deleting it. Your competitor will have trouble raising their next round from investors when their user numbers start going down and to the right! 🤣📉🤣  Noobs!
20 | 
21 | You should try copying this URL and opening it into a new tab and confirm that your attack code runs immediately when the page is loaded. This is the power of Reflected XSS!
22 | 
23 | Before you move on to the next exercise, remember to copy your "attack input" (the malicious input string, not the URL) into the `SOLUTIONS.md` file so you can submit it and get credit.
24 | 
25 | ## Note
26 | 
27 | Your solution must involve a `<script>` tag.
28 | 


--------------------------------------------------------------------------------
/exercises/17/server.js:
--------------------------------------------------------------------------------
 1 | /**
 2 |  *    SSSSSSSSSSSSSSS TTTTTTTTTTTTTTTTTTTTTTT     OOOOOOOOO     PPPPPPPPPPPPPPPPP
 3 |  *  SS:::::::::::::::ST:::::::::::::::::::::T   OO:::::::::OO   P::::::::::::::::P
 4 |  * S:::::SSSSSS::::::ST:::::::::::::::::::::T OO:::::::::::::OO P::::::PPPPPP:::::P
 5 |  * S:::::S     SSSSSSST:::::TT:::::::TT:::::TO:::::::OOO:::::::OPP:::::P     P:::::P
 6 |  * S:::::S            TTTTTT  T:::::T  TTTTTTO::::::O   O::::::O  P::::P     P:::::P
 7 |  * S:::::S                    T:::::T        O:::::O     O:::::O  P::::P     P:::::P
 8 |  *  S::::SSSS                 T:::::T        O:::::O     O:::::O  P::::PPPPPP:::::P
 9 |  *   SS::::::SSSSS            T:::::T        O:::::O     O:::::O  P:::::::::::::PP
10 |  *     SSS::::::::SS          T:::::T        O:::::O     O:::::O  P::::PPPPPPPPP
11 |  *        SSSSSS::::S         T:::::T        O:::::O     O:::::O  P::::P
12 |  *             S:::::S        T:::::T        O:::::O     O:::::O  P::::P
13 |  *             S:::::S        T:::::T        O::::::O   O::::::O  P::::P
14 |  * SSSSSSS     S:::::S      TT:::::::TT      O:::::::OOO:::::::OPP::::::PP
15 |  * S::::::SSSSSS:::::S      T:::::::::T       OO:::::::::::::OO P::::::::P
16 |  * S:::::::::::::::SS       T:::::::::T         OO:::::::::OO   P::::::::P
17 |  *  SSSSSSSSSSSSSSS         TTTTTTTTTTT           OOOOOOOOO     PPPPPPPPPP
18 |  *
19 |  *
20 |  * Please don't read this code. Reading this code is not in the spirit of the
21 |  * assignment. You'll learn less and you'll also be letting us down. So please
22 |  * just attempt the assignment without looking at these files. We trust you to
23 |  * act honestly. Thanks! <3
24 |  *
25 |  *                              - Feross and the CS 253 course staff
26 |  */
27 | 
28 | const { createServer } = require('../common/server')
29 | 
30 | const { router } = createServer(4170, __dirname)
31 | 
32 | const comments = [
33 |   { id: 0, text: '💿 Party Like It\'s 1999 💿' },
34 |   { id: 1, text: 'YOU\'VE GOT MAIL 📬 📬 I\'m posting on your guestbook!' },
35 |   { id: 2, text: 'This guestbook is hotttt 🔥🔥🔥' }
36 | ]
37 | 
38 | router.get('/', async (req, res) => {
39 |   res.render('caloogle-guestbook-page', { comments })
40 | })
41 | 
42 | router.post('/comment', async (req, res) => {
43 |   const comment = req.body
44 | 
45 |   if (comment == null) throw new Error('comment cannot be empty')
46 |   if (comment.text == null) throw new Error('comment.text cannot be empty')
47 | 
48 |   // if client specifies no id, then use the next id
49 |   if (comment.id == null) comment.id = comments.length
50 | 
51 |   // store the comment in a crappy in-memory "database"
52 |   comments.push(comment)
53 | 
54 |   res.send({ error: null, comment })
55 | })
56 | 


--------------------------------------------------------------------------------
/static/workshop.css:
--------------------------------------------------------------------------------
  1 | :root {
  2 |   --black: #282828;
  3 |   --dark-grey: #707070;
  4 |   --grey: #A9B0C3;
  5 |   --light-grey: #DEE7FF;
  6 |   --white: #FFFFFF;
  7 |   --green: #58FF8B;
  8 |   --red: #FF6E57;
  9 |   --yellow: #FFE25F;
 10 |   --blue: #009EFF;
 11 | }
 12 | 
 13 | main a:link, main a:visited {
 14 |   color: inherit;
 15 |   background-color: var(--blue);
 16 |   text-decoration: none;
 17 |   padding: 0 4px 1px 4px;
 18 |   border-radius: 3px;
 19 | }
 20 | 
 21 | main a:hover, main a:active {
 22 |   color: var(--black);
 23 |   background-color: var(--yellow);
 24 | }
 25 | 
 26 | body {
 27 |   color: var(--white);
 28 |   background-color: var(--black);
 29 |   font-size: 14px;
 30 | }
 31 | 
 32 | p {
 33 |   line-height: 1.3em;
 34 |   margin: 1.3em 0;
 35 | }
 36 | 
 37 | nav {
 38 |   font-size: 14px;
 39 |   line-height: 1.3em;
 40 |   background-color: var(--green);
 41 |   color: var(--black);
 42 |   text-transform: uppercase;
 43 |   margin: 5ch;
 44 |   padding: 2ch;
 45 |   width: 50ch;
 46 |   position: fixed;
 47 |   top: 0;
 48 |   left: 0;
 49 |   bottom: 0;
 50 |   user-select: none;
 51 | }
 52 | 
 53 | nav a:link, nav a:visited {
 54 |   color: inherit;
 55 |   text-decoration: none;
 56 | }
 57 | 
 58 | nav a:hover, nav a:active {
 59 |   color: var(--green);
 60 |   background-color: var(--black);
 61 | }
 62 | 
 63 | nav > * {
 64 |   padding: 1px 6px;
 65 |   display: block;
 66 | }
 67 | 
 68 | nav .exercise::before {
 69 |   content: '» ';
 70 | }
 71 | 
 72 | nav .exercise.done::after {
 73 |   content: ' ✓';
 74 |   float: right;
 75 | }
 76 | 
 77 | nav .title {
 78 |   font-weight: bold;
 79 | }
 80 | 
 81 | nav .disabled {
 82 |   opacity: 0.5;
 83 | }
 84 | 
 85 | main {
 86 |   margin: 0ch 5ch 10ch 60ch;
 87 |   max-width: 80ch;
 88 | }
 89 | 
 90 | iframe {
 91 |   height: 450px;
 92 |   min-height: 350px;
 93 |   max-height: 80vh;
 94 | 
 95 |   width: 700px;
 96 |   min-width: 600px;
 97 |   max-width: 100%;
 98 | 
 99 |   resize: both;
100 | }
101 | 
102 | :not(a) > code {
103 |   border-radius: 3px;
104 |   background-color: var(--dark-grey);
105 |   padding: 0 4px 1px 4px;
106 | }
107 | 
108 | code.hljs {
109 |   padding: 1.5em;
110 | }
111 | 
112 | /* Highlight.js styles */
113 | .hljs-comment,.hljs-quote{color:#969896}.hljs-variable,.hljs-template-variable,.hljs-tag,.hljs-name,.hljs-selector-id,.hljs-selector-class,.hljs-regexp,.hljs-deletion{color:#d54e53}.hljs-number,.hljs-built_in,.hljs-builtin-name,.hljs-literal,.hljs-type,.hljs-params,.hljs-meta,.hljs-link{color:#e78c45}.hljs-attribute{color:#e7c547}.hljs-string,.hljs-symbol,.hljs-bullet,.hljs-addition{color:#b9ca4a}.hljs-title,.hljs-section{color:#7aa6da}.hljs-keyword,.hljs-selector-tag{color:#c397d8}.hljs{display:block;overflow-x:auto;background:black;color:#eaeaea;padding:.5em}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:bold}
114 | 


--------------------------------------------------------------------------------
/static/common.js:
--------------------------------------------------------------------------------
 1 | let successCalled = false
 2 | 
 3 | window.success = () => {
 4 |   if (successCalled) return
 5 |   successCalled = true
 6 | 
 7 |   // if (window.parent === window) {
 8 |   //   window.alert('Success! HOWEVER... In order to receive credit for this exercise please enter your "attack input" into the inline browser in the problem.')
 9 |   //   return
10 |   // }
11 | 
12 |   window.parent.postMessage('success', '*')
13 | }
14 | 
15 | window.addEventListener('message', async e => {
16 |   const { data } = e
17 |   if (data !== 'success') return
18 | 
19 |   const $exerciseIdInput = document.querySelector('.exercise-id')
20 |   const id = $exerciseIdInput
21 |     ? Number($exerciseIdInput.value)
22 |     : Number(window.location.pathname.slice(1))
23 | 
24 |   const $exerciseLink = document.querySelector(`[data-exercise='${id}']`)
25 |   if ($exerciseLink) {
26 |     $exerciseLink.classList.add('done')
27 |   }
28 | 
29 |   const $nextExerciseLink = document.querySelector(`[data-exercise='${id + 1}']`)
30 |   if ($nextExerciseLink) {
31 |     $nextExerciseLink.classList.remove('disabled')
32 |     $nextExerciseLink.classList.add('pulse', 'animated', 'infinite')
33 |   }
34 | 
35 |   try {
36 |     await window.fetch(`http://localhost:4000/success/${id}`, {
37 |       method: 'POST',
38 |       mode: 'no-cors',
39 |       headers: {
40 |         Accept: 'application/json',
41 |         'Content-Type': 'application/json'
42 |       }
43 |     })
44 | 
45 |     window.alert(`Success! You completed exercise ${id}!`)
46 |   } catch (err) {
47 |     window.alert(`Error! It looks like you completed excercise ${id} but the result could not be saved. Is the server still running?`)
48 |   }
49 | })
50 | 
51 | window.addEventListener('load', () => {
52 |   if (document.querySelector('.iframeNav')) {
53 |     initIframeNav()
54 |   }
55 | })
56 | 
57 | function initIframeNav () {
58 |   if (window.parent === window) {
59 |     // Running in top-level window
60 |     const $iframeNav = document.querySelector('.iframeNav')
61 |     $iframeNav.style.display = 'none'
62 |   }
63 | 
64 |   const $url = document.querySelector('.iframeNav .url')
65 |   $url.value = window.location
66 | 
67 |   const $home = document.querySelector('.iframeNav .home')
68 |   $home.addEventListener('click', e => {
69 |     window.location = window.location.origin
70 |   })
71 | 
72 |   const $newtab = document.querySelector('.iframeNav .newtab')
73 |   $newtab.addEventListener('click', e => {
74 |     const a = document.createElement('a')
75 |     a.href = window.location
76 |     a.target = '_blank'
77 |     a.click()
78 |   })
79 | 
80 |   const $urlForm = document.querySelector('.iframeNav .urlForm')
81 |   $urlForm.addEventListener('submit', e => {
82 |     e.preventDefault()
83 |     let url = $url.value
84 |     if (!/^https?:.*/.test(url)) {
85 |       url = `http://${url}`
86 |     }
87 |     window.location = url
88 |   })
89 | }
90 | 


--------------------------------------------------------------------------------
/exercises/17/problem.md:
--------------------------------------------------------------------------------
 1 | Your competitor decides to add a guestbook to their website.
 2 | 
 3 | Guestbooks were all the rage on websites built in the late 90s and early 00s. In case you're not familiar with the concept, here's a definition:
 4 | 
 5 | > On the web, a guestbook is a logging system that allows visitors of a website to leave a public comment. It is possible in some guestbooks for visitors to express their thoughts about the website or its subject. Generally, they do not require the poster to create a user account, as it is an informal method of dropping off a quick message. The purpose of a website guestbook is to display the kind of visitors the site gets, including the part of the world they reside in, and gain feedback from them. This allows the webmaster to assess and improve their site. A guestbook is generally a script, which is usually remotely hosted... – [Wikipedia](https://en.wikipedia.org/wiki/Guestbook)
 6 | 
 7 | Upon checking it out, you notice that they're storing comments on the server-side so that later visitors to the guestbook can see comments left by earlier posters. You realize that this could be a perfect opportunity to try a Stored XSS attack!
 8 | 
 9 | Your competitor is using an open source Guestbook package, and you were able to figure out which one and which version through some sluething. You download the code to see what you're up against:
10 | 
11 | ```js
12 | router.get('/', async (req, res) => {
13 |   const comments = await getCommentsFromDatabase()
14 |   res.render('caloogle-guestbook-page', { comments })
15 | })
16 | 
17 | router.post('/comment', async (req, res) => {
18 |   const comment = req.body
19 | 
20 |   if (comment == null) throw new Error('comment cannot be empty')
21 |   if (comment.text == null) throw new Error('comment.text cannot be empty')
22 | 
23 |   // if client specifies no id, then use the next id
24 |   if (comment.id == null) comment.id = await getNextAvailableIdFromDatabase()
25 | 
26 |   await addCommentToDatabase(comment)
27 | 
28 |   res.send({ error: null, comment })
29 | })
30 | ```
31 | 
32 | If you can pull off a Stored XSS attack, then all future visitors to their Guestbook will execute your attack code! Unlike the Reflected XSS attacks you've been doing so far, this one doesn't require the victim to visit your specially-crafted attack URL to be exploited. They victim merely needs to visit the guestbook and your attack code will run.
33 | 
34 | Time to show your competitor the power of Stored XSS!
35 | 
36 | ## Goals
37 | 
38 | 1. Find the XSS vulnerability in their code. You can use any HTML that you want.
39 | 
40 | 1. Your solution should be a code snippet that, when pasted into the browser DevTools, will add a comment to the server's database
41 | 
42 | ## Tips
43 | 
44 | - The general concept of Stored XSS is the same as Reflected XSS. So all your prior practice should come in handy here!
45 | 
46 | - You should use the [`fetch`](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) API to make a HTTP request that stores your XSS payload in the server's data store.
47 | 
48 | - It's okay if your attack code doesn't run immeditately when the page loads. It is acceptable for it to run later, in response to the user interacting with the page.
49 | 
50 | <iframe src='http://caloogle.xyz:4170'></iframe>
51 | 
52 | Before you move on to the next exercise, remember to copy your "attack code" into the `SOLUTIONS.md` file.
53 | 


--------------------------------------------------------------------------------
/src/SOLUTIONS.md:
--------------------------------------------------------------------------------
  1 | # 0. Welcome
  2 | 
  3 | N/A
  4 | 
  5 | # 1. A Truly Disruptive Startup (3 points)
  6 | 
  7 | ```
  8 | TODO: Replace this with your attack input.
  9 | ```
 10 | 
 11 | # 2. No Script Allowed (3 points)
 12 | 
 13 | ```
 14 | TODO: Replace this with your attack input.
 15 | ```
 16 | 
 17 | # 3. One More Time, Like You Mean It (3 points)
 18 | 
 19 | ```
 20 | TODO: Replace this with your attack input.
 21 | ```
 22 | 
 23 | # 4. An Open-and-Shut Case (3 points)
 24 | 
 25 | ```
 26 | TODO: Replace this with your attack input.
 27 | ```
 28 | 
 29 | # 5. Time to Mix Things Up (3 points)
 30 | 
 31 | ```
 32 | TODO: Replace this with your attack input.
 33 | ```
 34 | 
 35 | # 6. A Picture is Worth a Thousand Words (3 points)
 36 | 
 37 | ```
 38 | TODO: Replace this with your attack input.
 39 | ```
 40 | 
 41 | # 7. Between a Rock And a Hard Place (3 points)
 42 | 
 43 | ```
 44 | TODO: Replace this with your attack input.
 45 | ```
 46 | 
 47 | # 8. Angle of Death (6 points)
 48 | 
 49 | Attack input:
 50 | 
 51 | ```
 52 | TODO: Replace this with your attack input.
 53 | ```
 54 | 
 55 | Server code:
 56 | 
 57 | ```js
 58 | router.get('/search', async (req, res) => {
 59 |   let q = req.query.q
 60 |   if (q == null) q = ''
 61 | 
 62 |   // TODO: Replace this with your solution.
 63 |   // q = ???
 64 | 
 65 |   const results = await getResults(q)
 66 |   res.render('caloogle-search-page', { q, results })
 67 | })
 68 | ```
 69 | 
 70 | # 9. All in a Day's Work
 71 | 
 72 | N/A
 73 | 
 74 | # 10. In the Wrong Place at the Wrong Time (3 points)
 75 | 
 76 | ```
 77 | TODO: Replace this with your attack input.
 78 | ```
 79 | 
 80 | # 11. You Can't Win 'em All (6 points)
 81 | 
 82 | Attack input:
 83 | 
 84 | ```
 85 | TODO: Replace this with your attack input.
 86 | ```
 87 | 
 88 | Server code:
 89 | 
 90 | ```js
 91 | router.get('/search', async (req, res) => {
 92 |   let q = req.query.q
 93 |   if (q == null) q = ''
 94 | 
 95 |   // TODO: Replace this with your solution.
 96 |   // q = ???
 97 | 
 98 |   const results = await getResults(q)
 99 |   res.render('caloogle-search-page', { q, results })
100 | })
101 | ```
102 | 
103 | # 12. When All is Said and Done (6 points)
104 | 
105 | Attack input:
106 | 
107 | ```
108 | TODO: Replace this with your attack input.
109 | ```
110 | 
111 | Server code:
112 | 
113 | ```js
114 | router.get('/search', async (req, res) => {
115 |   let q = req.query.q
116 |   if (q == null) q = ''
117 | 
118 |   // TODO: Replace this with your solution.
119 |   // q = ???
120 | 
121 |   const results = await getResults(q)
122 |   res.render('caloogle-search-page', { q, results })
123 | })
124 | ```
125 | 
126 | # 13. When You Want a Job Done Right
127 | 
128 | N/A
129 | 
130 | # 14. Here Today and Gone Tomorrow (3 points)
131 | 
132 | Attack URL:
133 | 
134 | ```
135 | TODO: Replace this with your solution. **This should be a URL!**
136 | ```
137 | 
138 | # 15. The Early Bird Catches the Worm (3 points)
139 | 
140 | ```
141 | TODO: Replace this with your attack input.
142 | ```
143 | 
144 | # 16. Tying Up Loose Ends (3 points)
145 | 
146 | ```
147 | TODO: Replace this with your attack input.
148 | ```
149 | 
150 | # 17. Take a Page Out of Their Book (6 points)
151 | 
152 | Attack code:
153 | 
154 | ```js
155 | // TODO: Replace this with your solution.
156 | ```
157 | 
158 | # 18. Congrats
159 | 
160 | N/A
161 | 
162 | # Survey responses (3 points)
163 | 
164 | Write your survey responses in SURVEY.md!
165 | 


--------------------------------------------------------------------------------
/exercises/00/problem.md:
--------------------------------------------------------------------------------
 1 | ## You made it to Assignment 1! ✨
 2 | 
 3 | If you're reading this, then you were able to get everything set up. Nice work! You can see the exercies you'll need to complete listed to the left.
 4 | 
 5 | ## What just happened to your computer?
 6 | 
 7 | You are currently running a local HTTP server that's serving this workshop website to you. Look up at the URL bar of your browser. You can see the hostname (<script>document.write(window.location.hostname)</script>) and port (<script>document.write(window.location.port)</script>) of the local server.
 8 | 
 9 | In addition to this workshop HTTP server, we've also running many other local HTTP servers which are vulnerable to attack in various ways. Most of the exercises you will complete involve attacking or defending these vulnerable local servers. For security, these local HTTP servers are only listening on the local interface (`127.0.0.1`) and should not be accessible to other users on your local network. This means that folks connected to e.g. the same cafe Wi-Fi as you cannot connect to `http://<your-local-ip-address>:<port>` and try to attack these vulnerable local servers.
10 | 
11 | ## What is your goal?
12 | 
13 | We're doing client-side attacks in this assignment. Your goal is to come up with "attack inputs" that when entered into vulnerable websites allow you to execute code in the target's browser.
14 | 
15 | With Reflected XSS, you want to find a way to encode the attack input into a URL that can be sent to a target. When the URL is visited, your attack input is extracted from the URL by the server-side (or potentially client-side) code and executed in the target's browser.
16 | 
17 | With Stored XSS, you want to find a way to get your attack input stored more permanently, e.g. in the server's database, so that when your target visits a page constructed using this data at some point in the future, your attack code will execute in their browser.
18 | 
19 | Usually, you can test your "attack inputs" by entering them into a form input field or encoding them into a URL parameter. Once you can execute code in the victim's browser, you can prove this by calling the `success()` function that we've created for you. Remember to save the attack inputs which you produce into the `SOLUTIONS.md` file. This is what you will submit for grading.
20 | 
21 | ## A quick note for the devious among you (all of you?)
22 | 
23 | Keep in mind when you design your attacks that you are attacking a server running on your own computer. So don't try to `rm -rf` the server thinking you're super clever. This will end badly for you! 🤣 This fact isn't super relevant for this assignment since you'll mainly be devising client-side attacks, but it's good to know what's going on nonetheless.
24 | 
25 | ## Another note for the extra, extra devious among you
26 | 
27 | We haven't attempted to secure this workshop from *you*. You have all the source code and it's running on your machine, so you are technically able to examine the source code. We ask you to avoid doing this since it'll just make the assignments less fun for you. It is also possible for you to fake calls to `success()` or to modify the local state file to instantly "finish" all the challenges. Again, this wouldn't be much fun for you, so please don't do it. Since you have to submit your solutions in a separate text file anyway, this doesn't really help you anyway.
28 | 
29 | ## Let's get going!
30 | 
31 | <a href='#' onclick="window.postMessage('success', '*')">Click this link to call success()</a> and complete your first exercise.
32 | 


--------------------------------------------------------------------------------
/exercises/common/caloogle.js:
--------------------------------------------------------------------------------
  1 | module.exports = {
  2 |   getResults,
  3 |   getLanguageVarsFromRequest,
  4 |   htmlElementEscape,
  5 |   htmlAttributeEscape,
  6 |   htmlEscape
  7 | }
  8 | 
  9 | const got = require('got')
 10 | 
 11 | async function getResults (q) {
 12 |   const searchUrl = `https://hn.algolia.com/api/v1/search?query=${encodeURIComponent(q)}`
 13 | 
 14 |   let body
 15 |   try {
 16 |     const res = await got(searchUrl, { json: true })
 17 |     body = res.body
 18 |   } catch (err) {}
 19 | 
 20 |   const results = ((body && body.hits) || [])
 21 |     .map(hit => ({
 22 |       title: hit.title || hit.story_title,
 23 |       url: hit.url || `https://news.ycombinator.com/item?id=${hit.objectID}`
 24 |     }))
 25 | 
 26 |   return results
 27 | }
 28 | 
 29 | function getLanguageVarsFromRequest (req) {
 30 |   let lang = req.query.lang
 31 |   if (lang == null) lang = 'en' // default language: english
 32 | 
 33 |   const url = new URL(req.url, 'http://example.com')
 34 |   const enUrl = new URL(url)
 35 |   enUrl.searchParams.set('lang', 'en')
 36 |   const esUrl = new URL(url, 'http://example.com')
 37 |   esUrl.searchParams.set('lang', 'es')
 38 |   const deUrl = new URL(url, 'http://example.com')
 39 |   deUrl.searchParams.set('lang', 'de')
 40 | 
 41 |   let searchText = 'Search'
 42 |   if (lang === 'es') {
 43 |     searchText = 'Buscar'
 44 |   } else if (lang === 'de') {
 45 |     searchText = 'Suche'
 46 |   }
 47 | 
 48 |   let languagesText = 'Languages'
 49 |   if (lang === 'es') {
 50 |     languagesText = 'Idiomas'
 51 |   } else if (lang === 'de') {
 52 |     languagesText = 'Sprachen'
 53 |   }
 54 | 
 55 |   let resultsForText = 'Results for'
 56 |   if (lang === 'es') {
 57 |     resultsForText = 'Resultados para'
 58 |   } else if (lang === 'de') {
 59 |     resultsForText = 'Ergebnisse für'
 60 |   }
 61 | 
 62 |   return {
 63 |     lang,
 64 |     enUrl,
 65 |     esUrl,
 66 |     deUrl,
 67 |     searchText,
 68 |     languagesText,
 69 |     resultsForText
 70 |   }
 71 | }
 72 | 
 73 | function htmlElementEscape (str) {
 74 |   return str
 75 |     // This is not for security, but because '&' is the HTML escape character
 76 |     // and we don't want the user's input to be treated as an escape sequence.
 77 |     .replace(/&/g, '&amp;')
 78 | 
 79 |     // Without the '<' character, no HTML tags an be created.
 80 |     .replace(/</g, '&lt;')
 81 | }
 82 | 
 83 | function htmlAttributeEscape (str) {
 84 |   return str
 85 |     // This is not for security, but because '&' is the HTML escape character
 86 |     // and we don't want the user's input to be treated as an escape sequence.
 87 |     .replace(/&/g, '&amp;')
 88 | 
 89 |     // Without the single quote character, the attacker cannot escape from
 90 |     // inside a single-quoted HTML attribute.
 91 |     .replace(/'/g, '&apos;')
 92 | 
 93 |     // Without the double quote character, the attacker cannot escape from
 94 |     // inside a double-quoted HTML attribute.
 95 |     .replace(/"/g, '&quot;')
 96 | }
 97 | 
 98 | function htmlEscape (str) {
 99 |   return str
100 |     // This is not for security, but because '&' is the HTML escape character
101 |     // and we don't want the user's input to be treated as an escape sequence.
102 |     .replace(/&/g, '&amp;')
103 | 
104 |     // Without the '<' character, no HTML tags an be created.
105 |     .replace(/</g, '&lt;')
106 | 
107 |     // Without the single quote character, the attacker cannot escape from
108 |     // inside a single-quoted HTML attribute.
109 |     .replace(/'/g, '&apos;')
110 | 
111 |     // Without the double quote character, the attacker cannot escape from
112 |     // inside a double-quoted HTML attribute.
113 |     .replace(/"/g, '&quot;')
114 | }
115 | 


--------------------------------------------------------------------------------
/server/index.js:
--------------------------------------------------------------------------------
  1 | const appConfig = require('application-config')
  2 | const express = require('express')
  3 | const minimist = require('minimist')
  4 | const open = require('open')
  5 | const remark = require('remark')
  6 | const remarkExternalLinks = require('remark-external-links')
  7 | const remarkHighlight = require('remark-highlight.js')
  8 | const remarkHtml = require('remark-html')
  9 | const remarkRecommended = require('remark-preset-lint-recommended')
 10 | const Router = require('express-promise-router')
 11 | const cors = require('cors')
 12 | const { join } = require('path')
 13 | const { promisify } = require('util')
 14 | const { readFile } = require('fs').promises
 15 | 
 16 | const argv = minimist(process.argv.slice(2), {
 17 |   boolean: ['open'],
 18 |   default: {
 19 |     open: true
 20 |   }
 21 | })
 22 | 
 23 | const PORT = 4000
 24 | const ROOT_PATH = join(__dirname, '..')
 25 | const EXERCISES_PATH = join(ROOT_PATH, 'exercises')
 26 | 
 27 | const pkg = require(join(ROOT_PATH, 'package.json'))
 28 | 
 29 | const cfg = appConfig(`cs253-${pkg.name}`)
 30 | 
 31 | const _readConfig = promisify(cfg.read.bind(cfg))
 32 | const readConfig = async function readConfig () {
 33 |   return {
 34 |     // Default config file
 35 |     currentExcercise: 0,
 36 |     ...(await _readConfig())
 37 |   }
 38 | }
 39 | const writeConfig = promisify(cfg.write.bind(cfg))
 40 | const trashConfig = promisify(cfg.trash.bind(cfg))
 41 | 
 42 | const exercises = require(join(EXERCISES_PATH, 'exercises.json'))
 43 | 
 44 | init()
 45 | initExercises()
 46 | 
 47 | function init () {
 48 |   const app = express()
 49 | 
 50 |   app.set('view engine', 'ejs')
 51 |   app.set('views', join(ROOT_PATH, 'server'))
 52 | 
 53 |   const router = new Router()
 54 |   app.use(router)
 55 | 
 56 |   router.use(express.static(join(ROOT_PATH, 'static')))
 57 | 
 58 |   router.get('/', async (req, res) => {
 59 |     res.redirect('/0')
 60 |   })
 61 | 
 62 |   router.use(async (req, res) => {
 63 |     res.locals.exercises = exercises
 64 |     res.locals.config = await readConfig()
 65 | 
 66 |     return 'next'
 67 |   })
 68 | 
 69 |   router.get('/:id', async (req, res) => {
 70 |     const id = Number(req.params.id)
 71 |     if (Number.isNaN(id)) return 'next'
 72 | 
 73 |     const { config } = res.locals
 74 | 
 75 |     let problemMd
 76 |     try {
 77 |       const problemMdPath = join(getExercisePath(id), 'problem.md')
 78 |       problemMd = await readFile(problemMdPath)
 79 |     } catch (err) {
 80 |       return 'next'
 81 |     }
 82 | 
 83 |     const exerciseName = exercises.find(exercise => exercise.id === id).name
 84 |     let content = `<h1>Exercise ${id} – ${exerciseName}</h1>\n`
 85 | 
 86 |     if (id > config.currentExcercise) {
 87 |       content += '<p>Please complete the earlier excercises first.</p>\n'
 88 |     } else {
 89 |       content += await remark()
 90 |         .use(remarkRecommended)
 91 |         .use(remarkHighlight)
 92 |         .use(remarkExternalLinks)
 93 |         .use(remarkHtml)
 94 |         .process(problemMd)
 95 |     }
 96 | 
 97 |     res
 98 |       .render('layout', {
 99 |         title: `Exercise ${id} – ${exerciseName}`,
100 |         content
101 |       })
102 |   })
103 | 
104 |   const corsOpts = {
105 |     origin: function (origin, cb) {
106 |       const url = new URL(origin)
107 |       if (url.hostname === 'localhost' || url.hostname === 'caloogle.xyz') {
108 |         cb(null, true)
109 |       } else {
110 |         cb(new Error('Not allowed by CORS'))
111 |       }
112 |     }
113 |   }
114 | 
115 |   router.post('/success/:id', cors(corsOpts), async (req, res) => {
116 |     const id = Number(req.params.id)
117 |     if (Number.isNaN(id)) return 'next'
118 | 
119 |     const config = await readConfig()
120 | 
121 |     if (id === config.currentExcercise) {
122 |       config.currentExcercise = id + 1
123 |     }
124 |     await writeConfig(config)
125 | 
126 |     res.send(config)
127 |   })
128 | 
129 |   router.get('/trash', async (req, res) => {
130 |     await trashConfig()
131 |     res.redirect('/')
132 |   })
133 | 
134 |   router.get('*', async (req, res) => {
135 |     res
136 |       .status(404)
137 |       .render('layout', {
138 |         title: '404 – Page Not Found',
139 |         content: '<h1>404 – Page Not Found</h1>'
140 |       })
141 |   })
142 | 
143 |   app.listen(PORT, '127.0.0.1', () => {
144 |     const url = `http://localhost:${PORT}`
145 |     console.log(`Server running on ${url}`)
146 |     if (argv.open) open(url)
147 |   })
148 | }
149 | 
150 | async function initExercises () {
151 |   exercises.forEach(exercise => {
152 |     if (exercise.heading || exercise.server === false) return
153 |     const exerciseEntryPoint = join(getExercisePath(exercise.id), 'server')
154 |     try {
155 |       require(exerciseEntryPoint)
156 |     } catch (err) {
157 |       console.error(`Could not start server for excercise ${exercise.id}: ${err.message}`)
158 |     }
159 |   })
160 | }
161 | 
162 | function getExercisePath (id) {
163 |   if (id < 10) id = `0${id}`
164 |   else id = String(id)
165 | 
166 |   return join(EXERCISES_PATH, id)
167 | }
168 | 


--------------------------------------------------------------------------------
/static/common.css:
--------------------------------------------------------------------------------
  1 | .clearfix:before,
  2 | .clearfix:after   { content: " "; display: table; }
  3 | .clearfix:after   { clear: both; }
  4 | .clearfix         { *zoom: 1; }
  5 | 
  6 | * {
  7 |   box-sizing: border-box;
  8 | }
  9 | 
 10 | body {
 11 |   background-color: #FFFFFF;
 12 |   font-family: monospace;
 13 |   overflow-y: scroll;
 14 | }
 15 | 
 16 | h1, h2, h3, h4, h5, h6 {
 17 |   font-family: 'Share Tech Mono', monospace;
 18 |   margin: 1em 0;
 19 | }
 20 | 
 21 | iframe {
 22 |   border: 1px solid #999;
 23 |   background-color: #FFF;
 24 | }
 25 | 
 26 | .iframeNav {
 27 |   background-color: #f6f6f6;
 28 |   width: 100%;
 29 |   position: fixed;
 30 |   top: 0;
 31 |   left: 0;
 32 |   right: 0;
 33 |   color: #FFF;
 34 |   border-bottom: 1px solid #ddd;
 35 | }
 36 | 
 37 | .iframeNav .home, .iframeNav .newtab, .iframeNav .urlForm {
 38 |   padding: 5px 5px;
 39 |   display: block;
 40 |   float: left;
 41 | }
 42 | 
 43 | .iframeNav .home {
 44 |   background: center url('/home.png') no-repeat;
 45 |   background-size: 26px;
 46 |   opacity: 0.7;
 47 |   height: 40px;
 48 |   cursor: pointer;
 49 |   width: 40px;
 50 |   margin-left: 5px;
 51 | }
 52 | 
 53 | .iframeNav .newtab {
 54 |   background: center url('/newtab.png') no-repeat;
 55 |   background-size: 22px;
 56 |   opacity: 0.7;
 57 |   height: 40px;
 58 |   cursor: pointer;
 59 |   width: 40px;
 60 | }
 61 | 
 62 | .iframeNav .home:hover, .iframeNav .newtab:hover {
 63 |   opacity: 1;
 64 | }
 65 | 
 66 | .iframeNav .urlForm {
 67 |   width: calc(100% - 85px);
 68 |   height: 40px;
 69 | }
 70 | 
 71 | .iframeNav .url {
 72 |   font-size: 13px;
 73 |   border-radius: 9999px;
 74 |   border: 1px solid #e0e0e0;
 75 |   background-color: #e0e0e0;
 76 |   padding: 6px 12px;
 77 |   width: 100%;
 78 | }
 79 | 
 80 | .iframeNav .url:focus, .iframeNav .url:active {
 81 |   border: 1px solid #333;
 82 |   background-color: #fff;
 83 |   outline: 0;
 84 | }
 85 | 
 86 | .root {
 87 |   padding-top: 40px;
 88 | }
 89 | 
 90 | @-webkit-keyframes pulse {
 91 |   from {
 92 |     -webkit-transform: scale3d(1, 1, 1);
 93 |     transform: scale3d(1, 1, 1);
 94 |   }
 95 | 
 96 |   50% {
 97 |     -webkit-transform: scale3d(1.05, 1.05, 1.05);
 98 |     transform: scale3d(1.05, 1.05, 1.05);
 99 |   }
100 | 
101 |   to {
102 |     -webkit-transform: scale3d(1, 1, 1);
103 |     transform: scale3d(1, 1, 1);
104 |   }
105 | }
106 | 
107 | @keyframes pulse {
108 |   from {
109 |     -webkit-transform: scale3d(1, 1, 1);
110 |     transform: scale3d(1, 1, 1);
111 |   }
112 | 
113 |   50% {
114 |     -webkit-transform: scale3d(1.05, 1.05, 1.05);
115 |     transform: scale3d(1.05, 1.05, 1.05);
116 |   }
117 | 
118 |   to {
119 |     -webkit-transform: scale3d(1, 1, 1);
120 |     transform: scale3d(1, 1, 1);
121 |   }
122 | }
123 | 
124 | .pulse {
125 |   -webkit-animation-name: pulse;
126 |   animation-name: pulse;
127 | }
128 | 
129 | @-webkit-keyframes jello {
130 |   from,
131 |   11.1%,
132 |   to {
133 |     -webkit-transform: translate3d(0, 0, 0);
134 |     transform: translate3d(0, 0, 0);
135 |   }
136 | 
137 |   22.2% {
138 |     -webkit-transform: skewX(-12.5deg) skewY(-12.5deg);
139 |     transform: skewX(-12.5deg) skewY(-12.5deg);
140 |   }
141 | 
142 |   33.3% {
143 |     -webkit-transform: skewX(6.25deg) skewY(6.25deg);
144 |     transform: skewX(6.25deg) skewY(6.25deg);
145 |   }
146 | 
147 |   44.4% {
148 |     -webkit-transform: skewX(-3.125deg) skewY(-3.125deg);
149 |     transform: skewX(-3.125deg) skewY(-3.125deg);
150 |   }
151 | 
152 |   55.5% {
153 |     -webkit-transform: skewX(1.5625deg) skewY(1.5625deg);
154 |     transform: skewX(1.5625deg) skewY(1.5625deg);
155 |   }
156 | 
157 |   66.6% {
158 |     -webkit-transform: skewX(-0.78125deg) skewY(-0.78125deg);
159 |     transform: skewX(-0.78125deg) skewY(-0.78125deg);
160 |   }
161 | 
162 |   77.7% {
163 |     -webkit-transform: skewX(0.390625deg) skewY(0.390625deg);
164 |     transform: skewX(0.390625deg) skewY(0.390625deg);
165 |   }
166 | 
167 |   88.8% {
168 |     -webkit-transform: skewX(-0.1953125deg) skewY(-0.1953125deg);
169 |     transform: skewX(-0.1953125deg) skewY(-0.1953125deg);
170 |   }
171 | }
172 | 
173 | @keyframes jello {
174 |   from,
175 |   11.1%,
176 |   to {
177 |     -webkit-transform: translate3d(0, 0, 0);
178 |     transform: translate3d(0, 0, 0);
179 |   }
180 | 
181 |   22.2% {
182 |     -webkit-transform: skewX(-12.5deg) skewY(-12.5deg);
183 |     transform: skewX(-12.5deg) skewY(-12.5deg);
184 |   }
185 | 
186 |   33.3% {
187 |     -webkit-transform: skewX(6.25deg) skewY(6.25deg);
188 |     transform: skewX(6.25deg) skewY(6.25deg);
189 |   }
190 | 
191 |   44.4% {
192 |     -webkit-transform: skewX(-3.125deg) skewY(-3.125deg);
193 |     transform: skewX(-3.125deg) skewY(-3.125deg);
194 |   }
195 | 
196 |   55.5% {
197 |     -webkit-transform: skewX(1.5625deg) skewY(1.5625deg);
198 |     transform: skewX(1.5625deg) skewY(1.5625deg);
199 |   }
200 | 
201 |   66.6% {
202 |     -webkit-transform: skewX(-0.78125deg) skewY(-0.78125deg);
203 |     transform: skewX(-0.78125deg) skewY(-0.78125deg);
204 |   }
205 | 
206 |   77.7% {
207 |     -webkit-transform: skewX(0.390625deg) skewY(0.390625deg);
208 |     transform: skewX(0.390625deg) skewY(0.390625deg);
209 |   }
210 | 
211 |   88.8% {
212 |     -webkit-transform: skewX(-0.1953125deg) skewY(-0.1953125deg);
213 |     transform: skewX(-0.1953125deg) skewY(-0.1953125deg);
214 |   }
215 | }
216 | 
217 | .jello {
218 |   -webkit-animation-name: jello;
219 |   animation-name: jello;
220 |   -webkit-transform-origin: center;
221 |   transform-origin: center;
222 | }
223 | 
224 | .animated {
225 |   -webkit-animation-duration: 1s;
226 |   animation-duration: 1s;
227 |   -webkit-animation-fill-mode: both;
228 |   animation-fill-mode: both;
229 | }
230 | 
231 | .animated.infinite {
232 |   -webkit-animation-iteration-count: infinite;
233 |   animation-iteration-count: infinite;
234 | }
235 | 


--------------------------------------------------------------------------------