However, there’s trouble brewing on the horizon. Malicious adverts have been abusing our beloved alert to distract and social engineer visitors from inside their iframe. Google Chrome has decided to tackle this by disabling alert for cross-domain iframes. Cross-domain iframes are often built into websites deliberately, and are also a near-essential component of certain relatively advanced XSS attacks.
Once Chrome 92 lands on 20th July 2021, XSS vulnerabilities inside cross-domain iframes will:
- No longer enable alert-based PoCs.
- Be invisible to anyone using alert-based detection techniques.
It’s quite funny that this “protection” against showing dialogs cross domain blocks alerts and prompts but as Yosuke Hasegawa pointed out they forgot about basic authentication. This works in the current version of canary. It’s likely to be blocked in future though.
We needed an alert-alternative that was:
- Simple, setup-free and easy to remember
- Highly visible, even when executed in an invisible iframe
After weeks of intensive research, we’re thrilled to bring you…
We will be updating our Web Security Academy labs to support print() based solutions shortly. The XSS cheat sheet will also be updated to reflect the new print() payloads when using cross domain iframes. We’ll keep using alert when there’s no iframes involved… for now.
Long live print!
– Gareth & James