Window name trick
Thursday, 6 September 2007
I didn’t know about this trick and I’m sure many others don’t either. You can inject javascript into the window.name and then execute that code from the new window by using eval on the window name. How cool is that? Here’s a example from Sirdarckcat:-
window.name="javascript:alert((window.opener||window).document.cookie);";
The inventor of this technique Giorgio Maone is my new hero π
Giorgio also wrote the noscript plugin, simply the best Firefox plugin on the net.
Big respect to Sirdarckcat for his cool XSS as well π
No. 1 — September 6th, 2007 at 12:54 pm
Yep – that’s what made my head ache when having to solve the first wave of PHPIDS exploits some weeks ago π
I have no idea why this feature is supported by browser vendors and I don’t see any real world usage so far – any ideas?
No. 2 — September 6th, 2007 at 12:56 pm
Nope it’s daft, they should prevent it.
If that made your head hurt…..sorry Mario:-
URL=name
I’ve no idea how you’ll prevent that one. Maybe it’s not your problem but rather a browser security issue.
No. 3 — September 6th, 2007 at 2:08 pm
not working on IE7
anyone tried ?
No. 4 — September 6th, 2007 at 2:13 pm
Hi raaka
Which item are you referring to? window.name or URL=name?
No. 5 — September 7th, 2007 at 12:20 am
… this is old, really old. Also you would suprised at the number of places that use it to maintain browser state on cookieless connections.
Also Giorgio Maone certainly didn’t invent it.
http://www.criticalsecurity.net/lofiversion/index.php/t5089.html (read second post from the bottom [I was testing it as an attack storage space back in 2005])
http://www.securitytracker.com/alerts/2005/May/1013914.html [back in 2005 – used as a operator to determine if hack should occur])
[-BTW: IF THIS POST APPEARS PLEASE FIX YOUR ANTI SPAM STUFF – IT WON’T LET ME POST WITH IE7… WITH JAVASCRIPT TURNED ON -]
No. 6 — September 7th, 2007 at 12:28 am
My mistake I thought Giorgio Maone because he was mentioned as the inventor on Sirdarckcat’s blog.
I don’t really care how old it is though, I didn’t know about it and I’m sure a few others didn’t either. You shouldn’t be able to inject javascript on one site and read it from another, so regardless if it is being used anywhere to maintain state it should be fixed.
Sorry to hear about the spam issue, please could you give me more details on your configuration so I can look into it. Thanks.
No. 7 — September 7th, 2007 at 10:38 am
Regards to the spam protection, I have recently updated my plugin so you should now be able to post in IE7, sorry about that.
No. 8 — September 7th, 2007 at 5:30 pm
hi Gareth
window.name=”javascript:alert((window.opener||window).document.cookie);”;
is this working on IE7 ?
my browserint responding..
No. 9 — September 7th, 2007 at 10:18 pm
I’ve recently updated the PHP Charset Encoder with some new candy – including an easy ‘name’ tool. It’s not as powerful as Giorgio’s hackademix redirector but might be quite useful in combination with the other features. Use responsible π
http://h4k.in/encoding/
No. 10 — September 7th, 2007 at 11:52 pm
Mario nice! Good tool!
No. 11 — September 7th, 2007 at 11:54 pm
The PHPIDS has since fixed the problem, I haven’t tested the window.name exploit but I’m sure it works.
No. 12 — October 29th, 2008 at 10:15 pm
i dont see how javascript is executed using the javascript can be executed in window.name..can you explain please?
No. 13 — October 29th, 2008 at 11:02 pm
name is a string like any other variable string but is passed between windows. So if you assign something to name in one site or window and then move to another site you can still get the contents of name.