Facebook javascript in address bar, possible to replicate?

Question

This is my first experience with stackoverflow and I'm afraid my question asks of a lot for a first. I was looking at this thread: http://stackoverflow.com/questions/2634159/javascrypt-in-the-adress-bar-is-this-malicious and as you will see SLaks has very kindly deobfuscated the javascript and left us with what appears as the Javascript behind the automatic facebook invite code.

As I'm fairly new to javascript, I was wondering, what other components were needed to get this code to work? You of course have the functions there and they are called by the obfuscated javascript but how exactly?

Would it be possible to replicate this on a page of my own using the information available or is there more to this script I am missing? I am willing to financially assist somebody who could compile a solution for me.

Thank you in advance.

Answer 1

There are plenty of Javascript Obfuscators floating around. By executing javascript in the address bar you are executing with the same context or the "same origin" as the website you are currently visiting. Thus, the rules for exploiting XSS are identical. I recommend studying XSS payloads like the Sammy Worm which affected MySpace. In short, you can use XmlHttpRequest to force the browser into doing your bidding, or you can hijack the session by stealing the "document.cookie".