Listen to this Post
Gareth Heyes recently shared a fascinating XSS vector that works exclusively on Safari. The payload leverages Safari’s handling of exceptions when instantiating window.name, which is then passed to eval. Here’s the vector:
<script>onerror = eval,new name</script>
How It Works
1. `onerror = eval` β Sets the global error handler to eval.
2. `new name` β Attempts to instantiate `window.name` as a constructor, which fails since `name` is a string.
3. Safari throws an exception, which is passed to eval, executing arbitrary JavaScript.
You Should Know:
Testing & Exploitation
To test this vulnerability in Safari:
1. Basic PoC:
<script>onerror=alert,new name</script>
This triggers an alert box when the error occurs.
2. Advanced Payload:
<script>onerror=eval,name='alert(document.domain)',new name</script>
This dynamically executes the payload stored in `name`.
Mitigation & Defense
- Content Security Policy (CSP):
Content-Security-Policy: script-src 'self'; object-src 'none';
Prevents inline script execution.
- Sanitization:
Use DOMPurify or similar libraries to filter malicious scripts. Disable
eval:
Avoid using `eval()` in JavaScript to prevent arbitrary code execution.
Browser-Specific Quirks
- Chrome/Firefox: Do not pass the exception to `eval` in the same way.
- Safari: Unique behavior in error handling makes this vector effective.
What Undercode Say
This Safari-specific XSS vector highlights how browser inconsistencies can lead to security vulnerabilities. Developers must:
– Test across multiple browsers.
– Avoid dangerous functions like eval.
– Implement strict CSP headers.
For further reading, check the original post:
π Gareth Heyes’ LinkedIn Post
Prediction
As browser security evolves, attackers will increasingly target niche engine behaviors. Safariβs unique JavaScript handling may lead to more such exploits in the future.
Expected Output:
<script>onerror=alert,new name</script>
IT/Security Reporter URL:
Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
