How exploitable is a site listening to browser messages from anyone?
I am working on a site where I have found some iframe issues. The case is that site A has an iframe of site B, and site A listens to 'messages' from anywhere and then it can perform two different actions when a message comes in:
- Set document.location = "incoming message data"
- Create a form, and set the action attribute value to "incoming message data", add it to the DOM and then submit the form.
This means i can set up site Evil, include an iframe of site A, and then start sending arbitrary messages, for example "javascript:alert(1)" which will in both of the above cases execute the javascript in the iframe context. Before I report this to the people I work for, I need to have a scenario in which this would be a major issue. And this is where it gets tricky, because I cannot really come up with a scenario where this would be a significant issue. The ideas I have are:
- I can execute javascript in the context of site A, but I cannot get cookies due to SoP.
- I could set up a key listener on site Evil and make site A iframe fill the screen asking for a login, in that way harvesting logins for site A. This would require some social engineering to work properly.
But this is the best I can come up with, so my question is, have I completely overlooked something? Googling around doesn't yield any other options.
EDIT:
Obviously this opens site A (whom I work for) up for XSS through site B (who is a semi known company, but still). Another point I am thinking about making is why on earth would anyone do ANYTHING this way? Create a form and submit and answer with some received data? I can't figure out a good reason to do it like this, maybe any of you good people can?
EDIT2:
It seems there is no way to bypass Same Origin Policy even though I can execute arbitrary javascript in the context of Site A through the iframe located on Site Evil. So there is nothing about this 'vulnerability' that makes it any different from an attacker to get a user to click on an arbitrary link.
` requests to a server I set up. I have tried adding a script with `src=EvilServer`, and the script gets executed, but it is still affected by SoP (And the server serves the scripts with `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true`). Everytime I can get the code executed, but no matter what I do, I cannot get the cookie of site A.
– sboutzen Jul 21 '16 at 08:54