Universal Reverse ClickJacking / SOME

This page collects Universal Reverse ClickJacking (also sometimes called Same Origin Method Execution or SOME) vulnerabilities.

A Universal Reverse ClickJacking vulnerability arises when a JSONP callback parameter (i.e. a user-controlled parameter reflected in a JS context) is controllable by an attacker by passing something like element.click if the parameter ends up in the JSONP callback directly or something like %26callback%3Delement.click%23 (the final # discards any other character that follows) to a routine that builds the JSONP call in an insecure way (for instance, using string concatenation and putting the user-provided input in another parameter but still allowing parameter pollution).

This grants an attacker the ability to execute javascript code in the context of the page, thus performing actions with side effects, such as clicking buttons and submitting forms, on the same page or on different pages in the same origin, using frames or popups.

If the JSONP endpoint is restrictive in terms of allowed charset for the callback this vulnerability does not become a full XSS, since a useful XSS vector would contain forbidden characters.

Single-page Universal Reverse Clickjacking

Multi-page Universal Reverse Clickjacking

In these tests the vulnerable JS snippet is placed in a page with no actionable DOM object: in this case, exploitation can be achieved by interacting with other pages in the same domain.