Minor Safari cross domain bug
Friday, 19 June 2009
I found this while writing Astalanumerator. Safari allows you to overwrite top and parent with native code and maybe other stuff (I haven’t tried). This allows you to define something on domain A and call it on domain B using the top and parent. I’d email Apple about it but the last time I reported XSS on the Apple store they ignored me.
You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-
But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use “name” in this instance to provide a XSS payload.
Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-
No. 1 — June 21st, 2009 at 12:53 am
so for safari… rather than inject “eval(name)” (10 chars) you could inject something like “top(name)” (9 chars) or maybe just “top()” (5 chars!). wtg safari! I’ll have to play with this tonight. I don’t suppose there’s a way in JS to call a function without using parenthesis… aside from using the setter trick (which only firefox supports as far as I know).
No. 2 — June 21st, 2009 at 7:49 am
I think the shortest would be top(name) because you can’t read the data just supplying a function as it executes from the other domain. If you could then it wouldn’t be minor 🙂 Safari seemed to raise an error when I tried
No. 3 — June 21st, 2009 at 11:45 am
Have you played with frame busters?
if they do:
top.location=self.location;
and you set self.location to “javascript:” and top.location to frames[0], then you have a full xss.
And with the clickjacking fever everyone has framebusters, from google to M$.
Greetz!!
No. 4 — June 21st, 2009 at 4:08 pm
@sirdarckcat
In my tests it only allowed native code but if you use a native object then it could work
No. 5 — June 22nd, 2009 at 3:40 am
Native code is ok dude..
http://eaea.sirdarckcat.net/safari-sucks.html
No. 6 — June 22nd, 2009 at 7:57 am
@sirdarckcat
Nice! 🙂