Multiple Browsers Window Injection Vulnerability (Fix?)

Michael Schwarz on Thursday, December 9, 2004

I have done some test on the new vulnerability of most common browsers. I tried to get more information on how to fix this. First I tried to get the URL of the popup window, but the problem is that you get your URL, not the URL of the hijacked displayed page, you cannot check if the current page is your page. Also, the HTML code (window.document.body.outerHTML) is the HTML code of your page.

The second test was to add following code to all of my pages:

try { if(window.opener != null) { try { window.opener.onunload = new function(){} } catch(e){}

if(window.opener.document.location.href.substr(0,20) != http://mydomain.com/ [1]) { child_win = window.open("redir.aspx?redir=" + document.location.href, "_new", ""); window.close(); } } } catch(e){}

I check if there is the window.opener object set. If it is not null I check the location.href URL if it is a page from my domain. If not I will open a new window and close the current one. Now, I can open all my popups!!! one thing to be done is the problem that if you close the first window (the bad domain) the wrong popup will be shown.

Can you try this on your site? Would be nice to get feedback!!