Full Report
This article is a list of different ways to get window references. When doing client side security, getting a reference to a window is big way to cause havoc. First, looking at the window. Using window.open() on both a new window and an existing window. Second, if you're inside of a popup window you can get a reference to the parent with window.opener(), even with a cross domain setup. Next, we have iFrames! window.top can get the reference to the top level window when in an iFrame. window.frames shows all frames within a given window. Additionally, if it's named, then windows.frames['frameName'] can be used too. A window object can be sent via a postMessage even in the cross domain case. If a window has the same domain as another window, you can reference globals on that window. Most of these rules can be chained together as well. The author mentions that it's not always possible to get a reference to something. In particular, a cross-domain iframe or an iframe that opens a popup window. Good article on a very esoteric JavaScript concept!
Analysis Summary
# Tool/Technique: Cross-Window Property Reference & Manipulation
## Overview
This technique involves utilizing JavaScript DOM properties to obtain references to window objects across different browsing contexts (tabs, windows, and iframes). In a security context, obtaining a window reference is a prerequisite for Cross-Site Scripting (XSS), Clickjacking, or Cross-Site Document Sharing via `postMessage`. This "window-group" discovery allows an attacker to interact with, spy on, or send messages to windows that would otherwise be isolated.
## Technical Details
- **Type:** Technique / Client-Side Scripting Exploration
- **Platform:** Web Browsers (Chrome, Firefox, Safari, IE/Edge)
- **Capabilities:** Discovery of window handles, cross-domain communication, monkey-patching native methods, and frame traversal.
- **First Seen:** Publicly documented as a consolidated reference in February 2017.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1189 - Drive-by Compromise]**: Using these window references to facilitate malicious script execution.
- **[TA0007 - Discovery]**
- **[T1518 - Software Discovery]**: Identifying the structure of the victim's browser environment and open applications/frames.
- **[TA0002 - Execution]**
- **[T1059.007 - JavaScript]**: Utilizing browser-native JS to manipulate the DOM and target windows.
## Functionality
### Core Capabilities
- **Direct Reference:** Using `window.open` with a known name to hook into existing popups.
- **Hierarchical Traversal:** Using `window.opener` (for popups), `window.parent` (for frames), and `window.top` (to escape nested iframes).
- **Collection Enumeration:** Accessing the `window.frames` array to identify all child frames within a context.
- **Identification by Event:** Using the `event.source` property within a `message` event listener to capture the window handle of any origin that sends a `postMessage`.
### Advanced Features
- **Monkey Patching:** Overriding the native `window.open` function to silently log and store references to every new window created by the legitimate application.
- **Cross-Domain Reference:** Accessing limited properties (like `.opener` or `.parent`) even when the target window is on a different origin, facilitating Cross-Domain communication.
- **Named Frame Access:** Referencing frames directly as properties of the window object (e.g., `window.frameName`).
## Indicators of Compromise
- **File Hashes:** N/A (Client-side technique)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- `hxxps[://]www[.]google[.]com` (Example URL used in research)
- **Behavioral Indicators:**
- Excessive use of `window.open('', 'name')` to probe for background windows.
- Presence of "Monkey Patch" code targeting `window.open`.
- Frequent `postMessage` calls to `*` (wildcard) origins.
## Associated Threat Actors
- **General Web Attackers:** Primarily used in "Tabnabbing" or "XSS-to-XSS" lateral movement.
- **Adware/Scam Campaigns:** To maintain persistence across popups.
## Detection Methods
- **Signature-based detection:** Searching for patterns like `window.open = function()` or `event.source.postMessage`.
- **Behavioral detection:**
- Monitoring for CSP (Content Security Policy) violations.
- Auditing script activities that attempt to traverse `window.top` from unauthorized frames.
- **Browser DevTools:** Observing the "Application" tab and "Frames" section to see unexpected cross-references.
## Mitigation Strategies
- **COOP (Cross-Origin-Opener-Policy):** Use `same-origin` to ensure your window reference cannot be accessed by the opener.
- **Rel="noopener":** Use `rel="noopener"` on all `<a>` tags with `target="_blank"` to prevent the new page from accessing `window.opener`.
- **CSP (Content Security Policy):** Implement `frame-ancestors` to restrict which domains can embed your site in an iframe.
- **X-Frame-Options:** Use `DENY` or `SAMEORIGIN` to prevent clickjacking and unauthorized frame referencing.
- **PostMessage Validation:** Always validate `event.origin` when receiving messages; never trust `event.source` implicitly.
## Related Tools/Techniques
- **[Zoid]**: A library for cross-domain components.
- **[Post-robot]**: A library for cross-domain post-messaging.
- **Tabnabbing**: A specific attack utilizing `window.opener.location`.
- **Clickjacking**: Obscuring frames to trick users into interacting with hidden windows.