Skip to content

Instantly share code, notes, and snippets.

@stefanocoding
Created October 5, 2018 17:19
Show Gist options
  • Save stefanocoding/4de2c7b0bd861bc38731f8c73e06a640 to your computer and use it in GitHub Desktop.
Save stefanocoding/4de2c7b0bd861bc38731f8c73e06a640 to your computer and use it in GitHub Desktop.
When `window.name` is evaluated #xss

The following is not a bug in the web browsers - it's supposed to work this way - but is useful in some cases like the one described.

In one of the Javascript files loaded by an endpoint of a private program, they were taking the value of window.name and passing it to something like eval([here]) or setTimeout([here], [some_milliseconds]), I don't remember correctly... The thing is that the value of window.name was being evaluated as Javascript code, so window.name = 'alert()' showed an alert(). To use this behavior for an attack, you have two options:

  1. if the endpoint is frameable from any domain, you can create an <iframe name='[javascript_code_here]' src='[vulnerable_endpoint]'></iframe>
  2. if it's not frameable, you can set window.name = '[javascript_code_here]' in your own domain and then redirect to the vulnerable endpoint

The one I used was the second option. 💰

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment