• All of the tests assumes the attacker on and the victim on
  • The victim is taking a user supplied URL and trying to open it through different flavors of
  • 1. Test

  • This is testing without targeting it to a window or frame, and the victim is expecting to allow users/attackers to open any arbitrary link in the new window. Unfortuantely when the URL is javascript:something, it executes in the victim's domain in
  • Compromise Victim 1

    2. Test, "")

  • This is testing, "") with an empty target, and the victim is also expecting the URL opened in a new window. Unfortuantely a javascript: url would execute at the victim's origin
  • Compromise Victim 2

    3. Test, "victimFrame")

  • This is testing, "victimFrame") with a specific target iframe inside of the victim's page, and the victim is expecting the URL opened in the target frame. Unfortunately, if the victim page is framed with the same name (e.g. "victimFrame") plus a javascript URL, the call would navigate the victim page itself instead of its frame and the JavaScript is going to execute in the victim page's domain
  • Click the button below to invoke the vunlerable victim iframe