Minor Safari cross domain bug

By Gareth Heyes (@hackvertor)

Published 16 years 11 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

I found this while writing Astalanumerator. Safari allows you to overwrite top and parent with native code and maybe other stuff (I haven't tried). This allows you to define something on domain A and call it on domain B using the top and parent. I'd email Apple about it but the last time I reported XSS on the Apple store they ignored me.

You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-

PHPIDS

But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use "name" in this instance to provide a XSS payload.

Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-

Safari poc

← Back to articles

Minor Safari cross domain bug

By Gareth Heyes (@hackvertor)

Published 16 years 11 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

← Back to articles

You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-

PHPIDS

But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use "name" in this instance to provide a XSS payload.

Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-

Safari poc

← Back to articles