href attribute of an anchor tag is within our control. Here’s an example:
document.cookie, when the
target attribute is set to
_blank. Consider the following HTML code as an example:
As DCLabs has explained in their post at http://blog.dclabs.com.br/2021/05/the-curious-case-of-xss-and-mouse.html, it is possible to activate the XSS payload via a Middle-Mouse-Click or a SHIFT/CTRL/ALT+CLICK key combination. Regrettably, this method is only effective in Chrome. Firefox still blocks access to some DOM objects, such as
document.cookie, while permitting
However, I have found a way to do the same thing in the latest version of Firefox while still being able to access the window object. I reported this to Firefox about four months ago in case they wanted to fix it. But they have only added it to their to-do list and I do not think they will get around to it anytime soon, as it is a small bug.
Here are some proof-of-concept payloads that demonstrate how the original window objects can be accessed:
Method 1: Using a new window
Method 2: Using a frame
I used these new tricks in a recent bug bounty project to amplify the impacts of an XSS issue when the
target attribute was set to
_blank. I was able to take victims’ OAuth tokens using this method in both Chrome and Firefox. Sadly, in this specific case, my report was quickly marked as a duplicate and immediately closed.
My hope is that in the future, bug bounty hunters can earn more by showing that this issue can affect more than just Chrome and Edge browsers using the methods I have described here.
PoC Link to Try:
I have created the following proof-of-concept link for those who like to try this: