Window name trick

I didn’t know about this trick and I’m sure many others don’t either. You can inject javascript into the window.name and then execute that code from the new window by using eval on the window name. How cool is that? Here’s a example from Sirdarckcat:-

window.name="javascript:alert((window.opener||window).document.cookie);";

The inventor of this technique Giorgio Maone is my new hero :)
Giorgio also wrote the noscript plugin, simply the best Firefox plugin on the net.

Big respect to Sirdarckcat for his cool XSS as well :)

13 Responses to “Window name trick”

  1. .mario writes:

    Yep – that’s what made my head ache when having to solve the first wave of PHPIDS exploits some weeks ago 😉

    I have no idea why this feature is supported by browser vendors and I don’t see any real world usage so far – any ideas?

  2. Gareth Heyes writes:

    Nope it’s daft, they should prevent it.

    If that made your head hurt…..sorry Mario:-
    URL=name

    I’ve no idea how you’ll prevent that one. Maybe it’s not your problem but rather a browser security issue.

  3. raaka writes:

    not working on IE7
    anyone tried ?

  4. Gareth Heyes writes:

    Hi raaka

    Which item are you referring to? window.name or URL=name?

  5. digi7al64 writes:

    … this is old, really old. Also you would suprised at the number of places that use it to maintain browser state on cookieless connections.

    Also Giorgio Maone certainly didn’t invent it.

    http://www.criticalsecurity.net/lofiversion/index.php/t5089.html (read second post from the bottom [I was testing it as an attack storage space back in 2005])

    http://www.securitytracker.com/alerts/2005/May/1013914.html [back in 2005 – used as a operator to determine if hack should occur])

    [-BTW: IF THIS POST APPEARS PLEASE FIX YOUR ANTI SPAM STUFF – IT WON’T LET ME POST WITH IE7… WITH JAVASCRIPT TURNED ON -]

  6. Gareth Heyes writes:

    My mistake I thought Giorgio Maone because he was mentioned as the inventor on Sirdarckcat’s blog.

    I don’t really care how old it is though, I didn’t know about it and I’m sure a few others didn’t either. You shouldn’t be able to inject javascript on one site and read it from another, so regardless if it is being used anywhere to maintain state it should be fixed.

    Sorry to hear about the spam issue, please could you give me more details on your configuration so I can look into it. Thanks.

  7. Gareth Heyes writes:

    Regards to the spam protection, I have recently updated my plugin so you should now be able to post in IE7, sorry about that.

  8. raaka writes:

    hi Gareth
    window.name=”javascript:alert((window.opener||window).document.cookie);”;
    is this working on IE7 ?
    my browserint responding..

  9. .mario writes:

    I’ve recently updated the PHP Charset Encoder with some new candy – including an easy ‘name’ tool. It’s not as powerful as Giorgio’s hackademix redirector but might be quite useful in combination with the other features. Use responsible 😉

    http://h4k.in/encoding/

  10. Gareth Heyes writes:

    Mario nice! Good tool!

  11. Gareth Heyes writes:

    The PHPIDS has since fixed the problem, I haven’t tested the window.name exploit but I’m sure it works.

  12. bender writes:

    i dont see how javascript is executed using the javascript can be executed in window.name..can you explain please?

  13. Gareth Heyes writes:

    name is a string like any other variable string but is passed between windows. So if you assign something to name in one site or window and then move to another site you can still get the contents of name.