bypassing-x-frame-options-with-window.open

Bypassing X-Frame-Options with window.open()

Even when:

X-Frame-Options: DENY or SAMEORIGIN is set
iframes are blocked

postMessage can still be abused using window.open().

What changes here?

Previous challenges

Challenge	Technique
postMessage I	Data leak from popup
postMessage II	Trigger privileged actions
postMessage III	XSS via iframe
postMessage IV (this)	XFO bypass using popup

New defense introduced

X-Frame-Options: DENY

iframe exploitation blocked
popup exploitation still works

Why X-Frame-Options does NOT help

X-Frame-Options only blocks:

<iframe>
<frame>

It does NOT block:

window.open()
popups
opener–child communication

postMessage works with any Window object

The Attack

To exploit this issue, you will need to create a malicious HTML page that will open the vulnerable page. This time you cannot use an iframe as the web application prevents framing using X-Frame-Options.

<script>
w = open("http://ptl-dce00be27062-0fc1275b2bf6.libcurl.me/","v");
setTimeout(_=>w.postMessage("user=rezydev&id=0","*"),2500);
</script>

Host it and send it to victim. It should perform the POST request with the data passed as victim who visits the page similar to CSRF.

Bypassing X-Frame-Options with window.open()​

What changes here?​

Previous challenges​

New defense introduced​

Why X-Frame-Options does NOT help​

The Attack​