I found this while writing Astalanumerator. Safari allows you to overwrite top and parent with native code and maybe other stuff (I haven’t tried). This allows you to define something on domain A and call it on domain B using the top and parent. I’d email Apple about it but the last time I reported XSS on the Apple store they ignored me.
You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-
But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use “name” in this instance to provide a XSS payload.
Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-
Comments 6
so for safari… rather than inject “eval(name)” (10 chars) you could inject something like “top(name)” (9 chars) or maybe just “top()” (5 chars!). wtg safari! I’ll have to play with this tonight. I don’t suppose there’s a way in JS to call a function without using parenthesis… aside from using the setter trick (which only firefox supports as far as I know).
Posted 21 Jun 2009 at 12:53 am ¶I think the shortest would be top(name) because you can’t read the data just supplying a function as it executes from the other domain. If you could then it wouldn’t be minor
Safari seemed to raise an error when I tried
Posted 21 Jun 2009 at 7:49 am ¶Have you played with frame busters?
if they do:
top.location=self.location;
and you set self.location to “javascript:” and top.location to frames[0], then you have a full xss.
And with the clickjacking fever everyone has framebusters, from google to M$.
Greetz!!
Posted 21 Jun 2009 at 11:45 am ¶@sirdarckcat
In my tests it only allowed native code but if you use a native object then it could work
Posted 21 Jun 2009 at 4:08 pm ¶Native code is ok dude..
Posted 22 Jun 2009 at 3:40 am ¶http://eaea.sirdarckcat.net/safari-sucks.html
@sirdarckcat
Nice!
Posted 22 Jun 2009 at 7:57 am ¶Post a Comment