You Could’ve Submitted a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

You Can Submit a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

Trump’s campaign donation site.
It’s loading a JS file from GitHub pages. Full source code screenshot can be found here.
https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js

Potential Attack Idea

if (location.host === 'secure.donaldjtrump.com') {
location = 'http://hillaryclinton.com/'
}
Injecting JS code to redirect Trump supporters to Clinton’s site.
Submitting a pull request to a JS file

More Attack Ideas

if (location.host === ‘secure.donaldjtrump.com’) {
document
.querySelector(‘.donation-container’)
.style[‘background-image’] = ‘url(“https://cloud.githubusercontent.com/assets/992008/17785065/192ea49c-6534-11e6-9ab1-d3ac6b4894cb.jpg")'
}
Image taken from here: http://www.eater.com/2016/5/13/11673108/trump-putin-kiss-street-art

License

Side Note: Who’s Behind Trump’s Site

Please Don’t Try This at Home

Tweets (Before they patched it)

Tweets (AFTER they patched it)

For the Record…

Unlisted

--

--

http://chibicode.com

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store