Opera x-domain with video tutorial
Thursday, 8 November 2012
This is a pretty awesome x-domain I found and reported to Opera. It should be fixed in the latest version. Opera was leaking more properties than it should on a x-domain location but the flaw was interesting because Opera prevented access to functions like alert etc so it wasn’t directly exploitable however by using literal values you could obtain the Object constructors like the Array constructor and overwrite prototypes to execute code.
iframe.contentWindow.location.constructor.prototype
.__defineGetter__.constructor('[].constructor.
prototype.join=function(){alert("PWND:"+document.body.innerHTML)}')();
The when the site executed [].join the function would be called resulting in x-domain access. I did a video tutorial to show how I discovered it enjoy!
Opera x-domain Hackvertor tutorial video