Tuesday, June 16, 2015

Bypassing IE's XSS Filter with showModalDialog

Hi there! I'm Masato Kinugawa. Finally, I started my blog in English :)
Also I will continue to write in Japanese as until now: http://masatokinugawa.l0.cm/
Today, I want to share IE's XSS filter bypass with showModalDialog.

showModalDialog function is old and has been removed from the web standards, but it has unique mechanism. I thought it might make my day. That's why I started looking into it.
The function is still supported by IE, Firefox and Safari.

First of all, let's recap usage of showModalDialog.

The first argument is URL which you want to open in the modal dialog.
The second argument is the argument which you want to pass to the modal dialog. And you can use it through window.dialogArguments property in the modal window.

To pass argument through window.dialogArguments, it seems that two windows must be same origin.

But it is different in case of returnValue. Two windows don't have to be same origin in Safari and IE. (Only Firefox needs same origin)

Here is my test page:

Safari can pass it to different origin simply. Please test from the "x-origin" button.
To reproduce on IE, we need 3xx redirect. Please test from the "x-origin(redirect)" button.

This behavior means that we can pass information to another origin's page via returnValue property in Safari and IE. It might make a hole in some web application. But of course, I don't want to enlighten secure usage of showModalDialog in 2015 :)

Let's go to the main, bypass IE's XSS filter.

Exploitable Conditions:
  1. XSS exists in string literal of JS.
  2. Any JS property contains sensitive information.

The following is my test page:

<form name=form>
<input type=hidden name=token value=f9d150048b>
<script>var q="[XSS_HERE]"</script>

Seeing is believing. Please go to the following PoC using IE:


If it goes well, you can see token strings in alert when you closed the modal dialog.

Let's take a look at details. The redirect takes you to:


The payload is injected:
<form name=form>
<input type=hidden name=token value=f9d150048b>
<script>var q="";returnValue=form.token.value//"</script>
Then, the token is passed into returnValue. Yeah!!

Needless to say, also it works:


I have tried unsuccessfully to access other page's window object through window.opener. Any idea?

That's all. Understood? :)

FYI, I have blogged about some XSS filter bypass techniques in the past. (Sorry, Japanese text only)
If you are interested in other bypasses, please read using Google Translate.

ブラウザのXSS保護機能をバイパスする(1) (2012/2)
ブラウザのXSS保護機能をバイパスする(2) (2012/3)
ブラウザのXSS保護機能をバイパスする(3) (2012/9)
ブラウザのXSS保護機能をバイパスする(4) (2014/9)
ブラウザのXSS保護機能をバイパスする(5) (2014/10)

I'm going to continue to write blog in English as far as possible. 
Thank you!


I found a way to pass other same-origin page's information via returnValue.
Anyway please go to the following page and click the "go" button.


If it goes well, you can see "<h1>This is secret Text!</h1>" of  other same-origin page's information in alert dialog. In this PoC, we don't need 3xx redirect. It seems that we can set returnValue from x-origin page in iframe which exists in showModalDialog.


  1. One call! Capable people who really tuned in and guided me through the credit application process. An exchange of messages and the next day, my development returns were in my record! I can't imagine a more direct, less complex, all the more straightforward knowledge.
    Personal Loans for Bad credit
    Loans for Bad credit

  2. The association was basic and the underwriting was speedy. The credit official was especially master and heartfelt
    Online Loans for Bad credit
    Loans for people with bad credit

  3. Due to the Professionalism of the specialist, I had the choice to gain a Personal Loan.
    Car Loans for Bad credit
    Bad Credit Loans

  4. The experience it was fundamental and easy to apply for a development. No issues, no mystery costs, incredibly capable.
    Bad Credit Loans Personal
    Bad Credit Loans for people

  5. Understanding these vulnerabilities is crucial for web developers and security professionals to better protect against such attacks. The X-XSS-Nightmare exploit underscores the importance of thorough code review, robust security testing, and staying updated on the latest security trends and patches. while diving into the intricacies of web security is captivating, I've also been busy preparing for exams, such as the GRE. Balancing study sessions with staying informed about cybersecurity developments can be challenging at times. There were moments when I felt overwhelmed and wished I could find someone to take my GRE exam for me, but I know that mastering these skills is essential for my future career.

  6. Congratulations on starting your English blog, Masato! It's great to see you expanding your reach and sharing your knowledge across different languages. The topic you're exploring sounds intriguing—XSS filter bypass with showModalDialog. It's fascinating how even older functions like showModalDialog can still have significant implications. As we focus on our online exams, it's essential to stay informed about cybersecurity issues like XSS vulnerabilities. Thanks for sharing your insights—I'll be sure to check out your blog for more updates!