srcindicating an URL (the URL may be cross origin or same origin)
srcindicating the content using the
srcdocindicating the content
python3 -m http.server) you will notice that all the scripts will be executed (as there is no CSP preventing it)., the parent won’t be able to access the
secretvar inside any iframe and only the iframes if2 & if3 (which are considered to be same-site) can access the secret in the original window. Note how if4 is considered to have
script-srcwon’t allow the execution of the JS code using the
data:protocol or the
srcdocattribute. However, even the
nonevalue of the CSP will allow the execution of the iframes that put a URL (complete or just the path) in the
srcattribute. Therefore it’s possible to bypass the CSP of a page with:
if2scripts are going to be executed but only
if1will be able to access the parent secret.
script-src 'none'. This can potentially be also done abusing a same-site JSONP endpoint.
script-src 'none'. Just run the application and access it with your browser:
sandboxattribute enables an extra set of restrictions for the content in the iframe. By default, no restriction is applied.
sandboxattribute is present, and it will:
<applet>, or other)
sandboxattribute can either be empty (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.
//example.orgis embeded into a sandboxed iframe, then the page's origin will be
window.origin === 'null'. So just by embedding the iframe via
<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">we could force the
allow-popupsis set then the opened popup will inherit all the sandboxed attributes unless
window.origin === e.originbecause both are
nullit's possible to send a payload that will exploit the XSS.
/iframe.php. Because the identifier is known, it doesn't matter that the condition
window.origin === e.originis not satisfied (remember, the origin is the popup from the iframe which has origin
data.identifier === identifier. Then, the XSS will trigger again, this time in the correct origin.