PoC steal URL cross-domain after that Firefox closes and restore previous session

9 feb 2016 by Jordi Chancel

It is possible to read a Cross-domain URL after a redirect using perfomance.getEntries() if the page can be iframed after Firefox is closed and restore previous session.

Steps:

1. 1) Load this malicious webpage (The target page (1) is loaded in our frame)
2. 2) Close Mozilla Firefox and reopen Mozilla Firefox and reload the last session
3. performance entry is set
4. The page follows the redirect to (2), x-domain pages should don't know the current URL
5. We redirect the frame to an arbitrary url, and force a history.back()
6. The frame loads (2) from cache, and a performance is set
7. This time the entry contains the redirection (2) instead of the original url (1)