This prefix can seem negligible, but I assure you it’s not.
I think this text is a very important security feather, it allows the user to understand what website is requesting or displaying data.
A few months ago I found a very interesting bug that allowed me to create alerts with no origin identification. I was also able to generate this alert on the current active tab as long as my website was running in one of the background tabs.
Since most browser are using the native device alert, when you set a timeout on an alert function it will still be visible from any tab.
The code above will let you run alerts on other domains as long as your using a mobile device. the down side is that it will still start with “https://ronmasas.com says:” so it’s not that interesting.
myWindow = window.open("var password = prompt('Give me your password please',''); window.opener.save(password); window.close();");
// Callback function
alert("Password is " + password);
This bug was reported and fixed by Google.
Back in July 2015 I reported an XSS issue to PayPal, it was a DOM XSS on “checkout.paypal.com”
It’s taken several months but with the issue now fixed I wanted to publish this post.
return this._localhostRe.test(url) || this._braintreeDomainRe.test(url);
As you can see there are two validation methods, let’s take a look
The localhost validation regex is allowing any domain that starts with “http://localhost” (I guess the developers used it to test things on a local environment). So… I just need to create a subdomain named localhost on any domain and PayPal will happily load my script.
The exploit worked only on browsers that support mixed content due to the fact we can only load the script on http in order to pass the validation.
To exploit you’d just use the following
Hope you guys found this post interesting, any questions or feedback, drop a comment below!