Last active
August 29, 2015 13:56
-
-
Save netroy/9062352 to your computer and use it in GitHub Desktop.
Dat FB console ... for academic purposes only
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (function (window) { | |
| 'use strict'; | |
| var realConsole = window.console || {}; | |
| var warnings = { | |
| 'Sorry, Your console is disabled for security reasons.': 'color: red; font-size: 36px; line-height: 40px;' | |
| }; | |
| Object.defineProperty(window, "console", { | |
| "value": realConsole, | |
| "writable": false, | |
| "configurable": false | |
| }); | |
| var whine = function () { | |
| Object.keys(warnings).forEach(function (key) { | |
| realConsole.log('%c ' + key, warnings[key]); | |
| }); | |
| whine = function () { | |
| throw new Error('disabled'); | |
| }; | |
| whine(); | |
| }; | |
| var fakeConsoleAPI = { | |
| "set": function () {}, | |
| "get": function () { | |
| whine(); | |
| return {}; | |
| } | |
| }; | |
| Object.defineProperty(console, "_commandLineAPI", fakeConsoleAPI); | |
| Object.defineProperty(console, "__commandLineAPI", fakeConsoleAPI); | |
| }).call(null, this); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| define("Chromedome", [ "Cookie" ], function (window, require, x, y, z, security) { | |
| 'use strict'; | |
| var Cookie = require("Cookie"); | |
| var localStorage = window.localStorage; | |
| security.start = function (xssSelf) { | |
| if (xssSelf.off || !(window.chrome || window.safari) || !/(^|\.)facebook\.com$/.test(document.domain) || Cookie.get("sx") === "opt" || Cookie.get("sz") === "opt" || !("localStorage" in window) || localStorage.consoleEnabled) { | |
| return; | |
| } | |
| var hasShowWarning = false; | |
| if (xssSelf.hardConsole) { | |
| Object.defineProperty(window, "console", { | |
| "value": console, | |
| "writable": false, | |
| "configurable": false | |
| }); | |
| } | |
| function preventAttack () { | |
| if (!hasShowWarning) { | |
| if (xssSelf.cookie) { | |
| document.cookie = xssSelf.cookie; | |
| } | |
| if (xssSelf.redir) { | |
| location.href = xssSelf.redir; | |
| } | |
| if (xssSelf.warnings) { | |
| xssSelf.warnings.map(function (warning) { | |
| (setTimeout).call(window, Function.prototype.apply.bind(console.log, console, warning), 1); | |
| }); | |
| } | |
| hasShowWarning = true; | |
| } | |
| if (xssSelf.block) { | |
| throw xssSelf.block; | |
| } | |
| } | |
| function iterateWindowProperties (iterator) { | |
| var properties = Object.keys(window); | |
| for (var i = properties.length; i--; ) { | |
| var key = properties[i]; | |
| var property = Object.getOwnPropertyDescriptor(window, properties[i]); | |
| if (typeof property.value === "function" && property.writable && !property.configurable) { | |
| iterator(key); | |
| } | |
| } | |
| } | |
| var consoleValue; | |
| var fakeWindow; | |
| var fakeConsole = { | |
| "set": function (val) { | |
| if (xssSelf.wipe) { | |
| fakeWindow = {}; | |
| iterateWindowProperties(function (property) { | |
| fakeWindow[property] = window[property]; | |
| }); | |
| } | |
| consoleValue = val; | |
| }, | |
| "get": function () { | |
| if (xssSelf.wipe) { | |
| iterateWindowProperties(function (property) { | |
| window[property] = fakeWindow[property]; | |
| }); | |
| } | |
| preventAttack (); | |
| return consoleValue; | |
| } | |
| }; | |
| Object.defineProperty(console, "_commandLineAPI", fakeConsole); | |
| Object.defineProperty(console, "__commandLineAPI", fakeConsole); | |
| }; | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
line 56-78 is the magic