Minor Safari cross domain bug

I found this while writing Astalanumerator. Safari allows you to overwrite top and parent with native code and maybe other stuff (I haven’t tried). This allows you to define something on domain A and call it on domain B using the top and parent. I’d email Apple about it but the last time I reported XSS on the Apple store they ignored me.

You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-

PHPIDS

But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use “name” in this instance to provide a XSS payload.

Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-

Safari poc

6 Responses to “Minor Safari cross domain bug”

  1. thornmaker writes:

    so for safari… rather than inject “eval(name)” (10 chars) you could inject something like “top(name)” (9 chars) or maybe just “top()” (5 chars!). wtg safari! I’ll have to play with this tonight. I don’t suppose there’s a way in JS to call a function without using parenthesis… aside from using the setter trick (which only firefox supports as far as I know).

  2. Gareth Heyes writes:

    I think the shortest would be top(name) because you can’t read the data just supplying a function as it executes from the other domain. If you could then it wouldn’t be minor 🙂 Safari seemed to raise an error when I tried

  3. sirdarckcat writes:

    Have you played with frame busters?

    if they do:
    top.location=self.location;

    and you set self.location to “javascript:” and top.location to frames[0], then you have a full xss.

    And with the clickjacking fever everyone has framebusters, from google to M$.

    Greetz!!

  4. Gareth Heyes writes:

    @sirdarckcat

    In my tests it only allowed native code but if you use a native object then it could work

  5. sirdarckcat writes:

    Native code is ok dude..
    http://eaea.sirdarckcat.net/safari-sucks.html

  6. Gareth Heyes writes:

    @sirdarckcat

    Nice! 🙂