Comments (5)
mmndaniel
commented on August 18, 2024
1
@serapath yes, something like that, the main points are that args should be joined (to address this), and buffered (to address the OP). I'd say the optimal parser for this case would be another document (new DOMParser().parseFromString('...', 'text/html') with the same readyState and content as the target document, because if reflects the actual resulting DOM the best. To illustrate my latest point:
var doc1 = new DOMParser().parseFromString('<html><head><body><frameset><frame src="/" /></frameset></body></head><html>', 'text/html');
var doc2 = new DOMParser().parseFromString('<html><frameset><frame src="/" /></frameset><html>', 'text/html');
// compare doc1 and 2
I found it the hard way when an attempted fix broke a similar test...
from snow.
mmndaniel
commented on August 18, 2024
related: bypass with multiple arguments to doc.write
var f = document.createElement('iframe');
document.body.appendChild(f);
f.contentDocument.write('<iframe id="tst', '"></iframe><script>tst.contentWindow.alert(1);</script>');
from snow.
serapath
commented on August 18, 2024
wow, mental.
Given there is
Line 33 in 48ec98b
.innerHTML, could the same be applied here by hooking into contentDocument.write?
Basically this snippet fixes it and maybe can be generalized.
var f = document.createElement('iframe');
document.body.appendChild(f);
fix(f) // should be done by patched `.appendChild`
f.contentDocument.write('<iframe id="tst');
f.contentDocument.write('"></iframe><script>tst.contentWindow.alert(1);</script>');
function fix (f) {
var old_write = f.contentDocument.write
var content = ''
const parser = document.createElement('div')
f.contentDocument.write = patched_write
function patched_write (...args) {
content += args.join('')
parser.innerHTML = content
const iframes = [...parser.querySelectorAll('iframe')]
if (iframes.length) {
f.contentDocument.close()
iframes.forEach(iframe => {
var [s1, s2] = [
`console.log('apply snow to iframe')`,
`tst.contentWindow.alert = (...args) => console.log(...args)`
].map(s => Object.assign(document.createElement('script'), { textContent: `${s}` }))
iframe.before(s1)
iframe.after(s2)
})
console.log('fuck')
console.log(parser.children)
old_write.apply(f.contentDocument, [parser.innerHTML])
} else {
old_write.apply(f.contentDocument, args)
}
}
}from snow.
weizman
commented on August 18, 2024
yes, and #80 (comment)
from snow.
weizman
commented on August 18, 2024
Sorry to ruin the party guys, but with the help of #118 we might not need to dig too deep into this (thanks for the help!)
from snow.
Related Issues (20)
- Can you bypass Snow 2? 🎉 HOT 3
- Snow 2's CSP breaks Snow's inline scripts HOT 2
- Bypass via nested same-origin iframe HOT 4
- [WIP] How can we steer away from relying on CSP for security?
- Snow can be bypassed with iframes and srcdoc HOT 1
- Snow can be bypassed with Document.prototype.open HOT 2
- URL is hooked but webkitURL is not HOT 1
- Snow can be bypassed with inline script HOT 4
- Snow can by bypassed with race condition HOT 1
- Blob validation in Snow can be bypassed with native object copy HOT 2
- Snow can be bypassed with opener.alert() HOT 1
- customElements extends check can be bypassed using a non-string HOT 3
- Snow can by bypassed with Prototype Pollution HOT 1
- Snow can be bypassed with declarative shadow DOM passed as object instead of string HOT 1
- Snow can by bypassed with polluting NodeList.prototype.length HOT 2
- Snow can be bypassed with native Prototype Pollution HOT 1
- Snow can be bypassed with meta and the HTML sanitizer HOT 1
- Snow can be bypassed with nested cross-origin frames HOT 2
- Snow can be bypassed with forms and buttons formAction HOT 1
- Snow can be bypassed with location.replace HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.