PoC steal URL cross-domain after that Firefox closes and restore previous session
9 feb 2016 by Jordi Chancel
It is possible to read a Cross-domain URL after a redirect using perfomance.getEntries()
if the page can be iframed after Firefox is closed and restore previous session.
Steps:
- 1) Load this malicious webpage (The target page (1) is loaded in our frame)
- 2) Close Mozilla Firefox and reopen Mozilla Firefox and reload the last session
performance
entry is set
- The page follows the redirect to (2), x-domain pages should don't know the current URL
- We redirect the frame to an arbitrary url, and force a
history.back()
- The frame loads (2) from cache, and a
performance
is set
- This time the entry contains the redirection (2) instead of the original url (1)
Page http://demo.vwzq.net/php/token_redirect.php
redirected to ...
.