DOM traversal ambiguity question from Ory Segal on 2008-08-14 (public-html@w3.org from August 2008)

From: Ory Segal <orysegal@gmail.com>
Date: Thu, 14 Aug 2008 09:46:08 +0300
To: public-html@w3.org
Message-ID: <a9a26b7b0808132346m6d21f301q7dbe6313b0011d93@mail.gmail.com>

Hello,

The problem I am about to describe is both a functional issue, but also has
some security implications.

*The scenario is as follows:*

I have a *parent *document, that includes the following HTML:

<html>
    <head>
        <script>
            var someObject = true;
        </script>
    </head>
    <body>
        <iframe src="child_frame.html"></iframe>
    </body>
</html>

And a child document, child_frame.html, which includes the following HTML:

<html>
    <head>
        <script>
            function do_something()
            {
                // some code
            }
        </script>
    </head>
    <body>
        <script>
            if(parent.someObject) { do_something(); }
        </script>
    </body>
</html>

( Note - assuming that the child and the parent documents originate from the
same domain, then the child can indeed access the parent's JavaScript
object. )

Things get a bit weird when the parent document, includes another element
with the same name such as the JavaScript object - for example - here's an
alternate parent document:

<html>
    <head>
        <script>
            *var someObject = true;*
        </script>
    </head>
    <body>
        *<iframe name="someObject"></iframe>*
        <iframe src="child_frame.html"></iframe>
    </body>
</html>

In this scenario, when the child tries to access parent.someObject - there
is an ambiguity. The browser cannot know, if the child is referring to the
other child element with the same name, or if the child is trying to access
the JavaScript object. (both are accessed through the DOM in the same
manner)

Functionally speaking, the problem is not so severe, but there are security
implications to this ambiguity - a malicious parent document (not from the
same domain), can include an IFrame pointing to a child document, and
manipulate JavaScript flow (in the child), by using an IFrame (with the same
name) as a substitute to a JavaScript object.

Since child documents, can traverse parents' IFrames (and also get access to
the object, although without being able to set/get most properties when not
on the same domain) , they can use this ambiguity to influence JavaScript
flow.

This issue was raised when I recently researched a real-world vulnerability,
which you can read about here:
http://blog.watchfire.com/wfblog/2008/06/javascript-code.html

I would be glad to hear what you think,

-Ory

Received on Friday, 15 August 2008 03:48:29 UTC