WebKitFYI, Mobile Safari is not vulnerable because it does not have the
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.
CVE-2016-4758: Masato Kinugawa of Cure53
Preconditions for Attack
To attack using this bug, we need two conditions:
- That navigation is done after the completion of the page loading.
I created the page that satisfies it:
<button onclick=go_top()>Top Page</button>
This page's only purpose is that navigates to https://vulnerabledoma.in/index.html when the user click the "Top Page" button.
I think there are pages like that everywhere. But using this bug, we can do XSS attack in this conditions.
Now, let's use the
The following page only opens the target page in a modal dialog:
What will happen when we click the "Top Page" button in the modal dialog? Needless to say, we will go to https://vulnerabledoma.in/index.html. But Safari was different. Surprisingly, Safari navigated to https://l0.cm/index.html. Obviously, Safari mistakes the parent window's base URL for the modal window's base URL.
xhr.open("GET",[URL])used the correct URL. )
Developing XSS attacksAccording to html5sec.org #42, Safari allows to set the
And my assumption was correct. This is final PoC:
<!DOCTYPE html>If it goes well, you can see an alert dialog when you click "Top Page" button, like the following screen shot:
ConclusionI wrote about Safari's UXSS bug. I reported this bug on June 15, 2015. This bug was living in WebKit for over a year after I reported.
If I find interesting bug, I'll share again :D Thanks!