Skip to content

Window name trick

I didn’t know about this trick and I’m sure many others don’t either. You can inject javascript into the window.name and then execute that code from the new window by using eval on the window name. How cool is that? Here’s a example from Sirdarckcat:-

window.name="javascript:alert((window.opener||window).document.cookie);";

The inventor of this technique Giorgio Maone is my new hero :)
Giorgio also wrote the noscript plugin, simply the best Firefox plugin on the net.

Big respect to Sirdarckcat for his cool XSS as well :)

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 11

  1. .mario wrote:

    Yep - that’s what made my head ache when having to solve the first wave of PHPIDS exploits some weeks ago ;)

    I have no idea why this feature is supported by browser vendors and I don’t see any real world usage so far - any ideas?

    Posted 06 Sep 2007 at 12:54 pm
  2. Gareth Heyes wrote:

    Nope it’s daft, they should prevent it.

    If that made your head hurt…..sorry Mario:-
    URL=name

    I’ve no idea how you’ll prevent that one. Maybe it’s not your problem but rather a browser security issue.

    Posted 06 Sep 2007 at 12:56 pm
  3. raaka wrote:

    not working on IE7
    anyone tried ?

    Posted 06 Sep 2007 at 2:08 pm
  4. Gareth Heyes wrote:

    Hi raaka

    Which item are you referring to? window.name or URL=name?

    Posted 06 Sep 2007 at 2:13 pm
  5. digi7al64 wrote:

    … this is old, really old. Also you would suprised at the number of places that use it to maintain browser state on cookieless connections.

    Also Giorgio Maone certainly didn’t invent it.

    http://www.criticalsecurity.net/lofiversion/index.php/t5089.html (read second post from the bottom [I was testing it as an attack storage space back in 2005])

    http://www.securitytracker.com/alerts/2005/May/1013914.html [back in 2005 - used as a operator to determine if hack should occur])

    [-BTW: IF THIS POST APPEARS PLEASE FIX YOUR ANTI SPAM STUFF - IT WON'T LET ME POST WITH IE7... WITH JAVASCRIPT TURNED ON -]

    Posted 07 Sep 2007 at 12:20 am
  6. Gareth Heyes wrote:

    My mistake I thought Giorgio Maone because he was mentioned as the inventor on Sirdarckcat’s blog.

    I don’t really care how old it is though, I didn’t know about it and I’m sure a few others didn’t either. You shouldn’t be able to inject javascript on one site and read it from another, so regardless if it is being used anywhere to maintain state it should be fixed.

    Sorry to hear about the spam issue, please could you give me more details on your configuration so I can look into it. Thanks.

    Posted 07 Sep 2007 at 12:28 am
  7. Gareth Heyes wrote:

    Regards to the spam protection, I have recently updated my plugin so you should now be able to post in IE7, sorry about that.

    Posted 07 Sep 2007 at 10:38 am
  8. raaka wrote:

    hi Gareth
    window.name=”javascript:alert((window.opener||window).document.cookie);”;
    is this working on IE7 ?
    my browserint responding..

    Posted 07 Sep 2007 at 5:30 pm
  9. .mario wrote:

    I’ve recently updated the PHP Charset Encoder with some new candy - including an easy ‘name’ tool. It’s not as powerful as Giorgio’s hackademix redirector but might be quite useful in combination with the other features. Use responsible ;)

    http://h4k.in/encoding/

    Posted 07 Sep 2007 at 10:18 pm
  10. Gareth Heyes wrote:

    Mario nice! Good tool!

    Posted 07 Sep 2007 at 11:52 pm
  11. Gareth Heyes wrote:

    The PHPIDS has since fixed the problem, I haven’t tested the window.name exploit but I’m sure it works.

    Posted 07 Sep 2007 at 11:54 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam