Anchor Tag XSS Exploitation in Firefox with Target=”_blank”

Commonly, we use the JavaScript schema to exploit a cross-site scripting (XSS) issue, particularly when the href attribute of an anchor tag is within our control. Here’s an example:

<a href="javascript:alert('Domain:' + document.domain + '\nCookies:' + document.cookie)">simple XSS</a>

Modern browsers, however, thwart the execution of JavaScript code or block access to significant DOM objects, such as document.cookie, when the target attribute is set to _blank. Consider the following HTML code as an example:

target="_blank" has been used: 
<a href="javascript:alert('Domain:' + document.domain + '\nCookies:' + document.cookie)" target="_blank">Here is a link, can you get both document.domain and document.cookie?</a>

As DCLabs has explained in their post at http://blog.dclabs.com.br/2021/05/the-curious-case-of-xss-and-mouse.html, it is possible to activate the XSS payload via a Middle-Mouse-Click or a SHIFT/CTRL/ALT+CLICK key combination. Regrettably, this method is only effective in Chrome. Firefox still blocks access to some DOM objects, such as document.cookie, while permitting document.domain.

However, I have found a way to do the same thing in the latest version of Firefox while still being able to access the window object. I reported this to Firefox about four months ago in case they wanted to fix it. But they have only added it to their to-do list and I do not think they will get around to it anytime soon, as it is a small bug.

Here are some proof-of-concept payloads that demonstrate how the original window objects can be accessed:

Method 1: Using a new window

javascript:w=window.open('https://20.rs/pocs/target_blank/anchor_pocs1.php?canbeframed=0','_blank');alert(/delay/);alert('Domain:' + w.document.domain + '\nCookies:' + w.document.cookie);

Method 2: Using a frame

javascript:document.write(%22<iframe name=myfrm src='https://20.rs/pocs/target_blank/anchor_pocs1.php' onload='alert(`Domain:` %2b this.contentWindow.document.domain %2b `\nCookies:` %2b this.contentWindow.document.cookie)'></iframe>%22);document.close();

I used these new tricks in a recent bug bounty project to amplify the impacts of an XSS issue when the target attribute was set to _blank. I was able to take victims’ OAuth tokens using this method in both Chrome and Firefox. Sadly, in this specific case, my report was quickly marked as a duplicate and immediately closed.

My hope is that in the future, bug bounty hunters can earn more by showing that this issue can affect more than just Chrome and Edge browsers using the methods I have described here.

PoC Link to Try:

I have created the following proof-of-concept link for those who like to try this:

https://20.rs/pocs/target_blank/anchor_pocs1.php