Executing JavaScript Cross Window/Iframe (XWS / XSS)
Cross window scripting is one of those most useful techniques when using multiple windows to display different parts of the same site. It allows information between pages to be refreshed and for presentation of data to become synchronized. It is important to know that IFRAMEs are just embedded windows and that given the element node reference of an IFRAME, you can obtain its window context. All JavaScript variables, functions, objects, etc are defined within the window context. To illustrate this point consider the following code:
var myGlobalVariable = "Hello"; function myFunction() { alert( myGlobalVariable ); } function myFunction2() { alert( window.myGlobalVariable ); } myFunction(); window.myFunction2();
The result of the above code is that an alert box that says “Hello” is shown twice. “window” is a keyword in JavaScript and it gives the current execution block’s window context. Knowing that everything in JavaScript is directly defined within the window context allows you to do things like run functions across two windows. To help us find other window contexts, we are given the following key words:
- parent: Returns the parent window context. JS running within an IFRAME will return the containing window’s context (i.e first outermost). Windows opened from another window with window.open form this parent child relationship as well.
- top: will return the eldest window context. Meaning if we have windowA open windowB who has an embedded iframe windowC, using “top” in any of the windows returns windowA
To traverse into an IFRAME, you can not simply use an IFRAME element reference as the window context. Example:
var iframe = document.getElementById( "myIframe"); //doesn’t work iframe.someJsFunction(); //does work as long as someJsFunction is defined //on the page in that iframe. iframe.contentWindow.someJsFunction();
The technique explained above is called cross window scripting, or XWS. It is meant to allow windows that share the same domain interact with each other. When used properly it is quite powerful. However, as all powerful things go, it can be misused.
When a site is embedded in another and the parent window and the child window do not share the same domain, browsers do not allow cross window scripting. In other words, cross window scripting only works if both windows are from the same domain. There are ways around this via exploits and it is considered bad form to use it. It directly breaks the security rules put in place by browser producers.
When scripts break this security concept, it is call cross site scripting, XSS for short. It is nearly always part of a site attack.The usual method of implementation is usually via an exploit in some web application, SQL injection, or custom user content.
XSS attacks can do things such as watching user events on password/login fields, stealing user names and passwords or even simply obtaining session information from URL’s and cookies in order to allow sessions to be hijacked.
