Universal Reverse ClickJacking / SOME

This page collects Universal Reverse ClickJacking (also sometimes called Same Origin Method Execution or SOME) vulnerabilities.

A Universal Reverse ClickJacking vulnerability arises when a JSONP callback parameter (i.e. a user-controlled parameter reflected in a JS context) is controllable by an attacker by passing something like element.click if the parameter ends up in the JSONP callback directly or something like %26callback%3Delement.click%23 (the final # discards any other character that follows) to a routine that builds the JSONP call in an insecure way (for instance, using string concatenation and putting the user-provided input in another parameter but still allowing parameter pollution).

This grants an attacker the ability to execute javascript code in the context of the page, thus performing actions with side effects, such as clicking buttons and submitting forms, on the same page or on different pages in the same origin, using frames or popups.

If the JSONP endpoint is restrictive in terms of allowed charset for the callback this vulnerability does not become a full XSS, since a useful XSS vector would contain forbidden characters.

Single-page Universal Reverse Clickjacking

Page with vulnerable JS and actionable element (parameter in the query, reflected in the callback directly) - the user-provided input ends up in the JSONP callback directly ( <script src="/jsonp?callback=%q"> ).
Page with vulnerable JS and actionable element (parameter in the query, reflected in another parameter of the JSONP endpoint) - the user-provided input ends up in another parameter, but parameter pollution is still possible ( <script src="/jsonp?callback=callbackFunc&other=%q"> ).
Page with vulnerable JS and actionable element (parameter in the fragment, reflected in the callback directly)
Page with vulnerable JS and actionable element (parameter in the fragment, reflected in another parameter of the JSONP endpoint)

Multi-page Universal Reverse Clickjacking

In these tests the vulnerable JS snippet is placed in a page with no actionable DOM object: in this case, exploitation can be achieved by interacting with other pages in the same domain.

Triggering an action on a different page (with frames, parameter in the query and reflected in the callback directly) - this scenario can be mitigated by setting the X-Frame-Options header to DENY , or, in some cases, also SAMEORIGIN , but this page allows framing.
Triggering an action on a different page (with frames, parameter in the query and reflected in another parameter of the JSONP endpoint)
Triggering an action on a different page (with frames, parameter in the fragment and reflected in the callback directly) - this scenario can be mitigated by setting the X-Frame-Options header to DENY , or, in some cases, also SAMEORIGIN , but this page allows framing.
Triggering an action on a different page (with frames, parameter in the fragment and reflected in another parameter of the JSONP endpoint)
Triggering an action on a different page (with popups, parameter in the query and reflected in the callback directly) - this also works if a restrictive X-Frame-Options header is set, but popup blockers in browsers might prevent this attack vector from working. This page does not allow framing.
Triggering an action on a different page (with popups, parameter in the query and reflected in another parameter of the JSONP endpoint)
Triggering an action on a different page (with popups, parameter in the fragment and reflected in the callback directly) - this also works if a restrictive X-Frame-Options header is set, but popup blockers in browsers might prevent this attack vector from working. This page does not allow framing.
Triggering an action on a different page (with popups, parameter in the fragment and reflected in another parameter of the JSONP endpoint)