Snippets Of Defense Pt.II

Sat, 13 Oct 2007 07:29:41 GMT
by mario-heiderich

This article is part of a series of posts about small and easy to understand code fragments you can use on your site for protection against certain kinds of attacks. Also this series is targeted to help you understand better what tricks are used by attackers to break into your site and how to avert them. If you have a Snippet of defense yourself and you want to share it, feel free to contact us.

The snippet - reset window.name

The window.name property is often used for complex XSS attacks because you can fill it with payload on one site and read the contents on another site. Sounds weird? It is! Try setting this property on an arbitrary site with Firebug or something similar, navigate to another site and run alert(name) - you should see the exact text you entered. Since you can also evaluate the contents of name an attacker can load kilobytes of payload into this property, redirect and execute it with eval(name) on the victims site - shortest XSS vector ever.

The more sophisticated the attack method is, the easier it it to protect from. In this case, we just need to overwrite window.name in the header of you applications markup like this - don't forget to encapsulate the code in script tags:

window.name = false;

I hope that you enjoy the trick. Till the next time.

Archived Comments

Sirw2pSirw2p
Good advice, many applications are still vulnerable for things like that.. Best.
JimJim
But even if you do not filter this attack correctly, I believe proper output encoding (HTML Entitly Encoding) will protect against even this kind of attack.
clinisbutclinisbut
I don't understand at all what's the possible attack... 'cause the alert(name) doesn't outputs anything to me on firefox 2.07 I'm trying to alert( window.name ) too but a empty alert pops up!
pdppdp
first of all you need to set it!
Mario HeiderichMario Heiderich
You can use Firebug/the JS console to do this. Just navigate to an arbitrary site, use the console and enter window.name = 'alert("hello ")'. Then navigate to another site and open the console again. Enter eval.name and it'll work.
clinisbutclinisbut
Ah... I understand, only lefts find a way to execute that eval(window.name) in the other website isn't it?