XSSing TypeErrors in Safari – The Spanner

By /

Listen to this Post

Featured Image
URL: XSSing TypeErrors in Safari – The Spanner

Gareth Heyes, a researcher at PortSwigger Web Security, discovered a Safari TypeError XSS vulnerability during his lunch break. This fun and insightful exploit demonstrates how TypeError exceptions in Safari can be manipulated to execute cross-site scripting (XSS) attacks.

You Should Know:

Understanding the Safari TypeError XSS Exploit

Safari’s JavaScript engine sometimes generates TypeError exceptions that can be abused to inject malicious scripts. This vulnerability arises due to improper handling of object types during execution.

Proof of Concept (PoC) Code

Below is a simplified example of how this exploit might work:

// Trigger a TypeError in Safari 
const malObj = undefined; 
try { 
malObj.nonExistentMethod(); 
} catch (e) { 
if (e instanceof TypeError) { 
// Manipulate the error to execute arbitrary code 
document.body.innerHTML = <code><img src=x onerror="alert('XSS via TypeError')"></code>; 
} 
}

Steps to Reproduce:

  1. Identify a TypeError scenario – Find where Safari fails to handle object methods properly.
  2. Craft a malicious payload – Use the error to inject script execution.
  3. Test in Safari – Verify the XSS triggers when the TypeError occurs.

Mitigation Techniques

  • Input Sanitization: Always sanitize user inputs to prevent script injection.
  • Content Security Policy (CSP): Implement CSP headers to restrict inline scripts.
  • Error Handling: Avoid exposing raw error messages to the client.

Useful Commands for Debugging XSS in Safari

 Enable Safari Developer Tools (macOS) 
defaults write com.apple.Safari IncludeDevelopMenu -bool true

Check JavaScript errors in Safari Console 
window.onerror = function(msg, url, line) { 
console.log(<code>Error: ${msg} at ${url}:${line}</code>); 
};

Linux alternative for testing (using Lynx text browser) 
lynx -dump "http://vulnerable-site.com/xss-test" | grep -i "script"

Windows Command for XSS Testing

 Check for reflected XSS using curl (Windows) 
curl -I "http://test-site.com/search?q=<script>alert(1)</script>"

What Undercode Say

This Safari TypeError XSS exploit highlights how browser-specific quirks can lead to security risks. Developers must rigorously test error handling in JavaScript, especially in Safari, where unexpected behaviors may open doors for attackers. Implementing strict CSP policies and input validation remains critical.

Expected Output:

  • Successful XSS execution via TypeError manipulation in Safari.
  • Browser console logs showing injected script activity.
  • Mitigation via CSP preventing unauthorized script execution.

Prediction

As browser engines evolve, new edge-case vulnerabilities like TypeError XSS will emerge. Automated tools and manual testing must adapt to catch these subtle flaws before attackers exploit them.

Relevant Links:

IT/Security Reporter URL:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: