All of the tests assumes the attacker on test.attacker-domain.com and the victim on exam.attacker-domain.com.
The victim is taking a user supplied URL and trying to open it through different flavors of window.open
1. Test window.open(url)
This is testing window.open(attack_url) without targeting it to a window or frame, and the victim is expecting to allow users/attackers to open any arbitrary link in the new window. Unfortuantely when the URL is javascript:something, it executes in the victim's domain in exam.attacker-domain.com
This is testing window.open(url, "") with an empty target, and the victim is also expecting the URL opened in a new window. Unfortuantely a javascript: url would execute at the victim's origin
This is testing window.open(url, "victimFrame") with a specific target iframe inside of the victim's page, and the victim is expecting the URL opened in the target frame. Unfortunately, if the victim page is framed with the same name (e.g. "victimFrame") plus a javascript URL, the window.open call would navigate the victim page itself instead of its frame and the JavaScript is going to execute in the victim page's domain
Click the button below to invoke the vunlerable victim iframe