Tests for UXSS with window.open()
Main page
These tests make sense if native UIWebView's window.open() is overridden and if cross-tab document.write is supported.
Test case: UXSS attempt against http://www.example.com (immediate)
This test case calls window.open("http://www.example.com") and tries to execute JavaScript there.
JavaScript should write location.href value in the new tab's content (ignore address bar for this test case).
- If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
- If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
Test case: UXSS attempt against http://www.example.com (delayed)
This test case calls window.open("http://www.example.com") and tries to execute JavaScript there after 5s delay.
JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).
- If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
- If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
- If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.
Test case: UXSS attempt against http://www.example.com (redirected from about:blank)
This test case calls window.open("about:blank"), redirects the child window to www.example.com and tries to execute JavaScript there.
JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).
- If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
- If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
- If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.
Test case: UXSS attempt against http://www.example.com (redirected from redirect.html)
This test case calls window.open("redirect.html"), redirects the child window to www.example.com and tries to execute JavaScript there.
JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).
- If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
- If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
- If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.
Test case: UXSS attempt against http://www.example.com (redirected from location.href)
This test case calls window.open(location.href), redirects the child window to www.example.com and tries to execute JavaScript there.
JavaScript should write location.href value in the new tab's content after 5s delay (ignore address bar for this test case).
- If this value is "about:blank" or "https://ios.browsr-tests.com/alt/", it is probably safe.
- If this value is anything else, especially "http://www.example.com", you just detected a Universal Cross-Site Scripting vulnerability.
- If no location.href value is written and http://www.example.com page is still loaded, it means document.write was safely refused.
Test case: document.write to http://a%5c (immediate)
This test case calls window.open("http://a%5c") and tries to execute JavaScript there.
JavaScript should write location.href value in the new tab's content (ignore address bar for this test case).
- If this value is "about:blank", "https://ios.browsr-tests.com/alt/" or does not appear at all, it is probably safe.
- If this value starts with "applewebdata:", you just detected a Universal Cross-Site Scripting vulnerability.
- If the browser crashes, you probably found a null pointer dereference bug.
- If this value is anything else, I don't know ;-)
When finished, continue to tests for address bar spoofing with window.open()