Skip to content

Instantly share code, notes, and snippets.

@0xcod3

0xcod3/window.name.md

Forked from stefanocoding/window.name.md
Created May 27, 2019 05:22
Show Gist options
  • Save 0xcod3/df99008a4906a456eb01d6cd3574d8fd to your computer and use it in GitHub Desktop.
Save 0xcod3/df99008a4906a456eb01d6cd3574d8fd to your computer and use it in GitHub Desktop.
Download ZIP
When `window.name` is evaluated #xss
Raw
window.name.md

The following is not a bug in the web browsers - it's supposed to work this way - but is useful in some cases like the one described.

In one of the Javascript files loaded by an endpoint of a private program, they were taking the value of window.name and passing it to something like eval([here]) or setTimeout([here], [some_milliseconds]), I don't remember correctly... The thing is that the value of window.name was being evaluated as Javascript code, so window.name = 'alert()' showed an alert(). To use this behavior for an attack, you have two options:

  1. if the endpoint is frameable from any domain, you can create an <iframe name='[javascript_code_here]' src='[vulnerable_endpoint]'></iframe>
  2. if it's not frameable, you can set window.name = '[javascript_code_here]' in your own domain and then redirect to the vulnerable endpoint

The one I used was the second option. 💰

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment