跨站点脚本（XSS）可能吗？

Question

I found following code in my application:

eval( 'window.opener.' + fct );

The variable fct is coming from a GET-Parameter (so it can be changed by the user).

Is it possible to pass some evil value to execute JavaScript? I am not sure, because if you change the URL and send the link to the user, and he clicks on it, "window.opener" will be null, so an error will be thrown:

eval( 'window.opener.x; alert(1);' ); // Uncaught TypeError: Cannot read property 'x' of null

Is there any attack vector, that could cause a security problem? I know, that you should never use eval() - but I also would try to find a proof of concept.

Thank you!

Answer 1

If fct is x = alert('yes') then it'll result in:

window.opener.x = alert('yes')

and the right-hand side of the expression will be evaluated first, allowing code execution.

If you don't want any error triggered, you can do:

window.opener.x = (window.opener={pwnd:confirm('game over')})

Answer 2

Is there any attack vector, that could cause a security problem?

Yes. You are executing arbitrary JavaScript. Any code can be ran. This is a serious security issue.

Firstly, any variable data used in the context of JavaScript should be JSON-encoded, which is compatible with JavaScript. You didn't say what server-side language you were using, so here's a PHP example to illustrate:

var fct = <?php echo json_encode($_GET['fct']); ?>;

If fct is parsed from the query-string client side, this immediate issue doesn't exist because you aren't parsing arbitrary strings as JavaScript at this point. However, you still have the eval problem.

You should rewrite your code as this:

window.opener[fct]

That way, you are only referencing what you need without injecting script.

Now, you also need to whitelist what's in this variable, should opener contain things you don't want to expose.