Interested in going full-time bug bounty? Check out our blueprint!
May 30, 2024

Episode 73: Sandboxed IFrames and WAF Bypasses

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

?. Tweet

https://x.com/garethheyes/status/1786836956032176215

NoWafPls

https://github.com/assetnote/nowafpls

Redacted Reports

https://x.com/deadvolvo/status/1790397012468199651

Breaking CORS

https://x.com/MtnBer/status/1794657827115696181

Sandbox-iframe XSS challenge solution

https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/

iframe and window.open magic

https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading

domloggerpp

https://github.com/kevin-mizu/domloggerpp

Timestamps

(00:00:00) Introduction

(00:03:29) ?. Operator in JS and NoWafPls

(00:07:22) Redacting our own reports

(00:11:13) Breaking CORS

(00:17:07) Sandbox-iframes

(00:24:11) Dom hook plugins

Transcript

Justin Gardner (@rhynorater) (00:00.527) Alright Joel, how are you feeling about these bad boys right here? Joel Margolis (teknogeek) (00:03.718) Those, I mean it matches your eyes man, it's good. Justin Gardner (@rhynorater) (00:05.999) What do you mean it matches my eyes? They're bright pink. I left, for those of you listening, I left my headphones in the car this week and I don't have them right now. So I stole my wife's bright pink Bose headphones right now that I'm doing this pod with. So, you know, the devotion, the devotion to the pod. Am I right? Joel Margolis (teknogeek) (00:25.542) Very stylish, very stylish. Justin Gardner (@rhynorater) (00:27.343) Thank you, thank you very much. Man, that in a Hong Kong weekend, that was a blast, dude. Joel Margolis (teknogeek) (00:34.118) Yeah, that was super awesome. I don't think many people would think that we sort of threw that together last minute, but that was a very on the fly sort of setup that we had going on there. It looked great through the camera. Behind it was just like chaos. Justin Gardner (@rhynorater) (00:40.559) Yeah. Justin Gardner (@rhynorater) (00:46.287) It... It did. Chaos. Well, you know, we obviously we had been known we were going to host Naham Khan for a while, but we kind of last minute decided, hey, let's do it together in person because I wanted to go see Joel's new house anyway. And yeah, dude, it worked out pretty well. We said, all right, we've got an hour to put together a studio for this whole thing. And Naham got the, you know, setups individualized again for one person versus two. And and it went through. So that was pretty great. Joel Margolis (teknogeek) (01:17.286) That was awesome. Justin Gardner (@rhynorater) (01:18.927) Alright dude, we're gonna do a quick one today because it's a long weekend. We got some busy stuff going on So but I did want to go through a couple things that I've been thinking about lately and one of them is freaking Johan Carlson calling me out on Twitter because I didn't know about the question mark dot syntax Do you know about the question mark dot syntax? Joel Margolis (teknogeek) (01:41.798) didn't I mean I didn't know that JavaScript supported this I've seen this in a lot of other languages so I guess I'm not surprised but I am a little surprised it's it's super interesting it's it like basically is like if not know right. Justin Gardner (@rhynorater) (01:46.671) Mm -hmm. Justin Gardner (@rhynorater) (01:58.031) Yeah, yeah, exactly. It's a optional chaining operator. And I think that this is mostly used when you're trying to figure out if there's multiple layers of elements in place, like sub -attributes on an object. But it's also possible to use this in between a function name and the sort of whatever these bad boys are, the parentheses that you use to call a function. And so, I wasn't aware of that and I comment on this post on Twitter, I'm like, wow, I'm kind of surprised this worked. And then freaking Johan Carlson comes in there and says, I'm surprised that you're surprised good sir, it's a valid operator. And I'm like, okay, listen here, Johan, I know you're listening to this. You know, I bring you on my podcast and now you're calling me out on Twitter. No, he's right, I probably should have known about that. And I think it's really useful for... Joel Margolis (teknogeek) (02:38.422) Yeah. Justin Gardner (@rhynorater) (02:54.927) anybody who's dealing with WAFs in any capacity, because I think not a lot of WAFs are anticipating a question mark and a dot to be in between a function name and the function call parentheses. So I think it's a good one to be aware of. Joel Margolis (teknogeek) (03:08.454) Yeah, that's a super good one to have in your back pocket. And speaking of WAF bypasses, no WAF plus is the new the new tool from Asset Note. So Asset Note slash shubs launched this tool called no WAF PLS plus PLZ. I think you're stuck in 2012, bro. I don't know. Nobody says PLZ anymore. Hello, plus. Justin Gardner (@rhynorater) (03:13.743) Mm -hmm. Justin Gardner (@rhynorater) (03:17.391) That's true. Justin Gardner (@rhynorater) (03:27.663) I don't know, I feel like it should be PLZ. Justin Gardner (@rhynorater) (03:32.783) What? No, does no one say PLZ? Am I showing my millennial here? Okay. Joel Margolis (teknogeek) (03:38.118) No, it's plus. Yeah, yeah, you're old. You're old, dude. Outdated. But yeah, no, it's. Yeah, this thing is awesome. It I mean, TLDR is it all the different techniques and stuff that were in the talk for, you know, different methods and bypasses to different wafts are incorporated within this tool to help you bypass wafts, you know, so no waft plus. Justin Gardner (@rhynorater) (03:42.319) All right, lovely. Thank you for that. But the tool is good. Justin Gardner (@rhynorater) (04:01.039) Mm -hmm. Yeah. And it's all pretty simple, too. I mean, all it is, I wrote the Kaido version for it, and essentially what it does is it adds a bunch of padding to your request. So if it's a URL -encoded content type, then it just adds like A equals AAAA, you know, jump sometimes up to 100 megabytes of As, and then your actual content, right? but sometimes it's as low as eight kilobytes that you'll need to bypass these WAFs that are just like, eight kilobytes, that's too big. We can't process that. And then moves along. So it was pretty easy to build in Kaido. It doesn't have all the features. You know, you've got to go into the workflow and manually set the kilobyte size of padding that you want, but it should do the job to bypass most WAFs. And I just love the simplicity of this whole technique, because it's just like, all right, throw a bunch of garbage in there. And then the WAF says, I don't know what to do with that. Go ahead. Joel Margolis (teknogeek) (05:03.27) I mean, it's like, I mean, it seems so simple, but at the same time, you're like, wow, I can't believe that works. Justin Gardner (@rhynorater) (05:09.775) Yeah, dude, I'm with you on that one. All right, so like I said, we're gonna move along pretty quickly today, because it's a tight weekend for us. But this next one that I actually do, I don't know, man, maybe this needs a little bit more discussion, but I did want to at least shout it out. IMD3D on Twitter tweeted out something about an entire report being redacted by a customer on Bug Crowd. I've also seen this on hacker one as well where your entire report will just get deleted from hacker one and it won't be like deleted deleted but it'll the whole thing will be redacted and There's just no way to access your own vulnerable and I feel like this is pretty whack and the explanations from the various programs Have been kind of a miss I think What do you what are your thoughts on this bad boy? Joel Margolis (teknogeek) (06:04.87) Yeah, I mean, I don't want to get into too much. I think it's certainly very interesting, like, that they can do that. I totally see why, why they might want to do that because like it is their IP, I guess, right? Like, you know, the vulnerability itself and like all the information disclosed within it. So it's a, it's a tricky situation for sure. I don't know. Justin Gardner (@rhynorater) (06:16.079) Mm -hmm. Mm -hmm. Joel Margolis (teknogeek) (06:30.534) You know, at the end of the day, you are handing the vulnerability over. So if that's something that you're concerned about, you can always just like keep a local copy of all your reports. But you know, nothing stops you from doing that. But yeah, I mean, the company does sort of have the right to, you know, because they have full edit, you know, when the report like goes into the program, like it's in their inbox, they control everything on the report. They can change the title, they can do whatever. Right. So like, you know, there's some level of sort of ownership over that. Justin Gardner (@rhynorater) (06:37.839) Yeah. Justin Gardner (@rhynorater) (06:45.839) Mm -hmm. Justin Gardner (@rhynorater) (06:53.711) Mm -hmm. Justin Gardner (@rhynorater) (06:58.447) Yeah, yeah, I hear that. I just think it's also a place for the hackers to store their vulnerabilities in a history of web vulnerabilities you found. Or maybe you want those pieces of information in there so you can go back later and check those techniques or maybe even check for regressions, right? That's a pretty common thing that we do is go back, look at all the reports we found, and then see if those fixes that haven't been put in place have been undone. and so you can get another vulnerability. So I think it's a little tricky. I think there's maybe a tool opportunity here, a top opportunity, so to speak. That's what I call it. A top opportunity, a tool opportunity. Yeah, well, you know, I'm spending on the fly today. So I think it'd be cool to have a tool that just runs on a cron job on your VPS. Joel Margolis (teknogeek) (07:36.186) A top opportunity. I don't know about that one, man. Justin Gardner (@rhynorater) (07:54.223) just make it super simple. All you do is give it the input, like access token or API token for HackerOne or for Bugcrowd, and then it just pulls all your reports down and creates a backup of them. And I think that would be really valuable. Joel Margolis (teknogeek) (08:12.518) Yeah, you can export reports pretty easily, I believe. Justin Gardner (@rhynorater) (08:15.727) Yeah, you can that's true. So it shouldn't be very hard to code either but but then it can't be like continuously updating because if they go in and be in like redacted and then you overwrite your You know normal copy with a redacted copy then you're kind of screwed So you kind of got to know which one you've already Pulled and then only pulled those ones Yeah Yeah, so I think I think that would be cool. I would run that on my VPS. It does make your VPS a little bit more of a Joel Margolis (teknogeek) (08:36.582) Yeah, yeah, yeah, yeah, 100%. Joel Margolis (teknogeek) (08:43.334) Just put a little cron job. Justin Gardner (@rhynorater) (08:45.199) Yeah, it does make your VPS a little bit more of a target though. Maybe I'll run that on like a cron job on my local server at my house and just have it like back up to like a, you know, external drive or something like that so it's not out there on the internet. That just kind of gives me the EBJP's a little bit. Yeah. All right, man. Let's see. We got the sort of recap from Johan Carlsen's... Joel Margolis (teknogeek) (08:59.782) Yeah. Yeah. Yeah, totally. Justin Gardner (@rhynorater) (09:13.679) XSS challenge, which I think was pretty cool or we can go and talk about this Matan Bear tweet Let's go into that one because this one's kind of interesting right take a look at this This is a tweet that Matan Bear retweeted. So it's not even from him. I just he just brought it to my attention But the tweet says this There is a popular opinion bad cores like access control that origin star is unexploitable That's the the popular opinion I think the browsers won't send a cookie in this case. It is delusional. Which is, or it is a delusion is what it says. You can exploit it with a Chrome cache feature. One, I just love how strongly worded that is. Like, this is delusional. But two, I think there's an interesting technique here, which is that he's saying that you can exploit this with Chrome's cache feature. Joel Margolis (teknogeek) (09:47.014) Yeah Joel Margolis (teknogeek) (09:57.83) Yes. Justin Gardner (@rhynorater) (10:10.607) And the little infographic that it says here is cores like access control origin star may be useless at first sight because you can't send cookies with it, but Chrome caches get responses without the cache control null store header by default for two days. And then you can leak the response of this by using force cache method along with fetch. And then that will send the, if you know the, the URL that was cached, you can send a request out, you can force it to use the cache, and it will pull that cached version back. And since it has access control, allow origin star, it will actually allow you to read that response. Which I think is pretty cool, but something makes me say that this got fixed at some point. Did you ever hear anything about that? Joel Margolis (teknogeek) (11:02.918) I mean, I'm not enough of like a web guy. I would consider myself like when it comes to like the nitty gritty of this kind of stuff, I am my fingers not on the pulse enough. So I definitely didn't. But it's super interesting. I mean, these are like. Justin Gardner (@rhynorater) (11:13.551) Yeah. Justin Gardner (@rhynorater) (11:18.575) Yeah. Joel Margolis (teknogeek) (11:22.406) Like I feel like if I were to go exploit Nexus nowadays, I would hit so many of these like weird things. I'd be like, I would not even be able to like compete. Justin Gardner (@rhynorater) (11:31.311) Yeah, the axis control, the course stuff I think is a little bit tricky sometimes, but I wanna say that this, actually now that I'm thinking about it, I wanna say that this technique is fixed. So I'm gonna pause it and I'm gonna go check it right now. Okay, so let me go ahead and, we're just gonna do a cut there, and I'm actually, I should have done this beforehand, and I meant to do it beforehand, but I actually didn't, so give me a second and I'm gonna go ahead and write up a POC for this really quick. Justin Gardner (@rhynorater) (13:44.783) Sorry Joel, I meant to do this today, but, beforehand, but didn't get to it. Justin Gardner (@rhynorater) (15:06.831) Son of a bitch dude. Of course this has to happen today. Justin Gardner (@rhynorater) (15:13.071) So annoying. Justin Gardner (@rhynorater) (15:43.503) It's still sending the request it seems. It's not doing force cache. Justin Gardner (@rhynorater) (15:52.559) UGH! Joel Margolis (teknogeek) (15:55.077) Maybe there was fix now. Justin Gardner (@rhynorater) (15:56.367) Yeah, it could be. Justin Gardner (@rhynorater) (16:01.135) Can you try to research and see if force cache? Justin Gardner (@rhynorater) (16:23.855) Yeah, it looks like it's fixed. Justin Gardner (@rhynorater) (16:31.791) Yeah, I think this is fixed. All right, we're just gonna roll with it. It's fixed, okay? Does that work? Okay, all right, so now we're getting ready to cut back in. This is at 16 minutes and 45 seconds. Justin Gardner (@rhynorater) (17:01.583) Alright dude, I investigated that real quick and actually I knew that sounded familiar to me when I put the notes in the dock. Yeah, it is fixed. But I really, I thought it was a really interesting exploit when it first came out or when I first saw it, when I was first introduced with it or a little bit earlier on. And I think that there are probably other opportunities like that with force cache in place. But I just wanted to also... kind of put that out there as well that this does not appear that this technique works at least with my my current setup that I went ahead and tested with. Joel Margolis (teknogeek) (17:32.006) Well, and if I can throw a little shameless plug in here, you know, we have this channel called intent to ship. that's, it's available to our critical thinkers. And I feel like something like this would probably show up in there if it were to change. So, if you're a subscriber, on our discord and you're one of the critical thinkers, then you'll have access to this and you'll probably know ahead of time. Justin Gardner (@rhynorater) (17:37.295) That's true. Justin Gardner (@rhynorater) (17:43.119) Yeah. Justin Gardner (@rhynorater) (17:50.383) Mm -hmm. Yeah, yeah, man, I wish I had that Discord channel whenever they fixed this in the first place, because I would have been able to keep up to date with that. Also, I will say, though, that we only are currently pulling the stuff for Blink in there, but there's also the rendering engine that Firefox uses, which I believe is called Gecko or something like that. Joel Margolis (teknogeek) (18:14.566) Yeah, yeah, something like that. Justin Gardner (@rhynorater) (18:16.175) So I'm gonna update that bot as well soon to include the stuff from Gecko so that we can stay on top of all that as well. You know, for whatever measly share of users Firefox represents at this point. Yeah, something like that. All right, so a couple more things I wanted to go through here. The next one, okay, dude, did you see freaking Johan's CTF with the sandboxed iframe? Joel Margolis (teknogeek) (18:27.782) Yeah. Yeah. What did it like 2 %? Yeah. Joel Margolis (teknogeek) (18:43.654) No, I, I, no, no, I didn't, I didn't. Justin Gardner (@rhynorater) (18:46.287) It was kind of crazy actually, dude. I was looking at it for a while and there's a couple pieces to it. One of them is like a CSP bypass. It utilizes the fact that like you can redirect from a domain that is, like if you have a path -based CSP in place for script source, so let's say you whitelist like technogeek .io slash okayjavascript, right? And a user can actually host JavaScript at technogeek .io slash bad JavaScript or whatever. If you can make a redirect from okayjavascript, to bad JavaScript, then it will trust that redirection. And so that was one of the cool things, one of the cool hacks that he had in place for that CTF. But the one that really kind of blew my mind was this whole concept of essentially you can escape a sandbox inside of an iframe and leak the base URI of the top level frame with no relationship to that frame. you know, with no like allow same origin or anything like that. And the sandboxing thing sort of works by, you know, defining a null origin for that frame and then trust same origin policy to sort of, to sort of make sure that you can't access the data in a different frame. But what Johan figured out was when a source doc is used in iframe in conjunction with that sandbox, that you can access the document .baseURI property. And what that will do is it will give you, the URI that is associated with the top level document, not the sandbox document, because of the source doc, I think, being different than the actual source in the iframe. Yeah, and so essentially what you could do is you could have a sandboxed iframe, origin null, no ability to do anything besides run scripts, and you can leak the top, you know, window location .htrf of the top frame, which will lead to... Joel Margolis (teknogeek) (20:26.758) super interesting. Justin Gardner (@rhynorater) (20:42.831) a bunch of really cool bugs, I think, but it sounds most impactful in an environment where you can essentially land an OAuth code on that top level path and then go from your sandboxed iframe up and grab that OAuth code and exfiltrate it. Joel Margolis (teknogeek) (21:01.158) super super cool. That's really interesting. I love these little these little mini CTFs that keep coming out the like excess challenges and stuff. Yeah, like I feel like they disappeared for a while, but it's good. It hones your skills. You know, they're real world problems a lot of the time like this almost certainly came from a real vulnerability that he had to exploit and he was sitting there. He's like hmm. I wonder how many other people can exploit this. Justin Gardner (@rhynorater) (21:06.031) Mm -hmm, yeah. They're getting popular again. Justin Gardner (@rhynorater) (21:15.951) Mm -hmm. Justin Gardner (@rhynorater) (21:19.663) Yeah. Justin Gardner (@rhynorater) (21:24.399) Exactly. Well, I'm also interested because it's like, I -Frame source doc, which is the alternative to a source for an I -Frame. You can provide a source doc and actually just write the HTML code right directly inside the attribute. I feel like it's a pretty rare thing to see, but I could also see this happening a lot in e -commerce environments or something like that where you need to be able to provide some customization to the environment. while still actually not letting the user get access to credit card data and stuff like that. So I think there's lots of applications for this. How often source doc is actually used, I can't say though, because I've pretty much mostly just seen the source attribute used if you're defining an iframe. I think it's easier to do it that way too, because then you don't have to worry about base64 encoding the whole thing or sticking it inside the source doc. So. Joel Margolis (teknogeek) (22:14.246) Yeah. Yeah. Justin Gardner (@rhynorater) (22:23.247) It's a little bit of a niche thing, but that's what we're all about here, these sort of niche edge cases. So if you guys see source doc defined instead of source on an iframe, make sure you keep this trick in mind. All right, dude, let's see. Let's take a look at some of these other ones here. OK. This one is exciting. OK, let me just say this one, OK? Joel Margolis (teknogeek) (22:35.494) Yeah, yeah, absolutely. Justin Gardner (@rhynorater) (22:51.662) There was a blog post that I think we've talked about a little bit before that came out, iframe and window .open. It was from blog .wholee .tw. And I read through a lot of it, and I was a little bit disappointed to see that there was a technique that had been sort of, you know, cards close to the chest. Wasn't really talking about this one quite as much that got disclosed there. So I figured, all right, let me just go ahead and talk about it. And that technique is, once again, regarding sandboxed iframes. And essentially what happens here, Joel, is when you define a sandboxed iframe, you can define a set of sandbox attributes associated with it, right? You can say, like, all right, allow script, allow popup, allow modal, allow same origin, you've got all these options, right? What's really cool is that if you do a window .open from that sandboxed iframe, that window that results in, you know, that pops up in your browser in a new tab, that bad boy will also have those same properties that the sandbox iframe has. So then you get into this weird scenario where I can define an iframe on my page that has the sandbox attributes and you click a button on there and it opens up a new tab on Joel .com and now Joel .com has those, and my cookies are sent to Joel .com, everything, it's like a full top level nav. But. the origin of that page is set to null. So it's not set to the normal top level Joel .com thing. So if I were to try to access the source of that page from a, or communicate with that page from another null origin iframe, then you could do communications if the post message handler or whatever you're working with here checks window .origin or origin. If it says event .origin, so event being the post message that's being sent, equals equals window .origin, which is a very common code pattern to check whether the message is coming from the current page that you're on or not, then it will allow communication. But what we can do now is we can change that origin on joel .com or bank .com or whatever to null and then communicate with that iframe from another null origin iframe. So it is. Joel Margolis (teknogeek) (25:08.646) No, yeah. Joel Margolis (teknogeek) (25:14.886) That's really interesting. That's a really interesting technique and it still works? Or it's fixed now? okay. Justin Gardner (@rhynorater) (25:18.159) It does, it still works. No, it works. I mean, I think it's just a function of how it works. Yeah. Yeah, dude. I was, I was kind of like kept on looking for opportunities to use it. And I had an opportunity one time where it was going to work out so good. And there was just this one little like teeny tiny mitigating factor where I couldn't get it to actually work. but because it is inside of a sandboxed iframe, you have a bunch of other restrictions. So it's not like, it doesn't like break the whole internet. Joel Margolis (teknogeek) (25:22.598) It's just public now. Justin Gardner (@rhynorater) (25:47.535) But it will allow, because you can't make requests out, you can't do a bunch of other stuff because of the sandbox, but what you can do is you can access any data that's loaded onto that page. So if you're able to open up a page that says, hello Joel, or whatever, with authorized users, since your cookies were sent with that original top level navigation, you can actually leak the data that's on that page and exfiltrate it out. Definitely another cool technique. Joel Margolis (teknogeek) (25:48.038) Uhhh... Joel Margolis (teknogeek) (26:11.558) Dang. That's a cool bug, man. Justin Gardner (@rhynorater) (26:16.047) I can't recommend enough going to this blog .tooli or wholee .tw and reading this blog post. It's a really high quality one if you want to understand same origin policy and the ways that frames communicate. Yeah, yeah, it's a good one, man. All right, I know we've got a little bit, only got a little bit longer today. Let me look at some of these other ones, okay. Joel Margolis (teknogeek) (26:25.35) Yeah. Joel Margolis (teknogeek) (26:32.262) Heck yeah. Justin Gardner (@rhynorater) (26:44.367) Do you want, let me give you an option here. Because we can't get through all these. Do you want to have me talk about. a Chrome plugin that I think really needs more attention, or do you want me to talk about a technique that really... I'm gonna go with the second one. It's more in line with the topic. Everybody, I'm just gonna say this. Go check out DomLogger PP if you haven't already. That is going to be a very pivotal tool, I think, in the future of client web security, if you wanna test efficiently. It's pretty awesome. And I think it allows you... Joel Margolis (teknogeek) (27:18.022) Yeah, I hadn't heard of that thing and it looks pretty crazy, man. I don't, yeah. Yeah. Okay. Justin Gardner (@rhynorater) (27:23.567) It allows you to do your due diligence on client side stuff very well. Joel, let me run this last one by you, okay? So this concept, iframe hijacking, I think is really consistent with the stuff that we're talking about here, and it hasn't, we've talked about it I think once before on the pod, but we haven't talked about it super thoroughly, and it's this concept, okay? You have a page, like for example, in OAuthflow, that will do a window .open. It's gonna pop up like a little box or something like that, that, you know, click prove or whatever, blah -de -blah -de -blah, right? And then it's gonna communicate from that little box back to the main page that opened it up. Pretty common flow, right? Yeah, you see it all over the place. Here's the thing. You can hijack that little box. And the way you do that is if the page that does the window .open, if it supplies the name, Joel Margolis (teknogeek) (27:59.59) Mm. Joel Margolis (teknogeek) (28:07.174) Yep. Yep. Justin Gardner (@rhynorater) (28:21.039) of the frame that it will be opening that up in, which most of the time they do, then what you can do is you can create a page or an iframe on your attacker controlled page and you can put that iframe to be the same origin of the page that will be opening up the new popup. So if it's on like, you know, login .whatever .com, then you set it to like, login .whatever .com slash 404 or something like that. Something that's iframeable, you know, you wanna try to find, maybe it's like an icon or something and they forgot the iframe not allowed or X frame options header and you can embed it into your page. You set it to that. And then you name that iframe, the name of the window that they're gonna window that open on this other page. And so what's gonna happen when they click on the link in the page that you wanna attack is it will say, it'll look through the tab group and it'll say, hey, is there any frame that exists in our little circle of frames here that has this name? And if so, I'm gonna open into that. And so what it does is it identifies the frame that you set up in your page and it will actually open up that website into that frame. Okay, so now it says, okay, I just opened up this page, the user's gonna be authorizing stuff, blah -di -blah -di -blah, I'm gonna trust that pop -up that happened, right? But really, it wasn't a pop -up. it went to that iframe. Now, since we put that iframe in our own page, we can redirect that iframe to whatever we want. We can redirect it to an attacker -controlled page and abuse. You do, yeah, because you created the iframe. So you can go ahead and everything looks fine and dandy to the victim's side where they did the window .open, and since you have the iframe on your page, you can easily get a window reference through that. And so... Joel Margolis (teknogeek) (29:55.974) Yeah, do you get a window reference back from that too? Yeah. Justin Gardner (@rhynorater) (30:13.743) Then you can redirect that page to a malicious page. You can just bypass the whole flow and inject your attacker -controlled credentials there, right? A lot of times what'll happen is they'll do an auth callback to a specific page, and then there will be data in the hash. Because it'll be same origin, it'll reach in and grab that data, but you can just redirect it to the same origin and then inject your own data in the hash, and then now you're controlling the flow of the application. And I call this bad boy... frame hijacking. I think a lot of things are vulnerable to this. And the main takeaway here is make sure whenever you see a pop -up happening or some change happening in an iframe, look to see the window .open call that's doing it and check the name on that. Because if it is using a name that is guessable, then you may be able to hijack that iframe and gain control of the flow in that specific scenario. Joel Margolis (teknogeek) (31:09.254) That's really, really interesting. That's a yeah. No, I know. Yeah. Yeah. You're like, yeah, I know. I think I followed you though. Yeah, that's that's pretty freaking sweet. Yeah, you just had it's it's so it's a browser behavior though. Like, yeah. Mm hmm. Okay. That's super interesting. So if you so you can have two windows with the same name in Firefox. Justin Gardner (@rhynorater) (31:10.831) Does all that make sense? I know I kind of sounded like that guy with like the strings and like the map, you know? Justin Gardner (@rhynorater) (31:25.711) It is, and it's only in Chrome. Justin Gardner (@rhynorater) (31:33.551) You know, it seems like that's the case, right? Because in Firefox it doesn't open it up and the window .open would then trigger and open up a new window. And I don't know why it doesn't work in Firefox, because they're in the same tab group. It seems like that should be compliant with the spec, but maybe they make some sort of differentiation because, you know, your frame is sort of sandwiched in between the two. And it's, I don't know, it just doesn't work in Firefox for some reason. It also doesn't work in incognito tab in Chrome. Joel Margolis (teknogeek) (31:58.086) Yeah, that's super weird. Very cool though. Justin Gardner (@rhynorater) (32:03.279) which is weird. So there's some weird restrictions that are going on. Joel Margolis (teknogeek) (32:06.278) What? Huh. I guess I wonder if it's just because of the anti -tracking stuff. Justin Gardner (@rhynorater) (32:15.343) The anti -tracking stuff has been getting in the way a lot lately. I don't know what Chrome did recently with that, but anytime there's a use of an iframe, something weird is happening. Yeah. All right, man. That's pretty much all I had for today. I won't go into the whole shreel about the DOM logger PP, but it's a really cool thing, so definitely go check it out. You got anything else you wanted to shout before we move along? Joel Margolis (teknogeek) (32:25.542) That's super weird. Joel Margolis (teknogeek) (32:39.942) That's it, man. Justin Gardner (@rhynorater) (32:41.071) Alright, sweet. It'll be a short one today, but we're staying consistent for you guys, the listeners, even though it's a busy week. Hopefully you guys get a lot out of this whole iFrame mess that we described today. Joel Margolis (teknogeek) (32:53.318) Yeah, lots of new tools, lots of new techniques to dig into in your free time. Justin Gardner (@rhynorater) (32:56.847) Indeed, indeed. In the time that you are spending not listening to this episode of Critical Thinking, go and read that blog post about frames in window .open. We'll link it down below. All right, peace guys. Joel Margolis (teknogeek) (33:06.598) Absolutely. Peace.