• Published: 02 July 2021 at 13:27 UTC

• Updated: 02 July 2021 at 13:49 UTC

Cross-Site Scripting and the alert() function have gone hand in hand for decades. Want to prove you can execute arbitrary JavaScript? Pop an alert. Want to find an XSS vulnerability the lazy way? Inject alert()-invoking payloads everywhere and see if anything pops up.

However, there's trouble brewing on the horizon. Malicious adverts have been abusing our beloved alert to distract and social engineer visitors from inside their iframe. Google Chrome has decided to tackle this by disabling alert for cross-domain iframes. Cross-domain iframes are often built into websites deliberately, and are also a near-essential component of certain relatively advanced XSS attacks.

Once Chrome 92 lands on 20th July 2021, XSS vulnerabilities inside cross-domain iframes will:

• No longer enable alert-based PoCs.
• Be invisible to anyone using alert-based detection techniques.

What next? The obvious workaround is to use prompt or confirm, but unfortunately Chrome's mitigation blocks all dialogs. Triggering a DNS pingback to a listener, OAST-style is another potential approach, but less suitable as a PoC due to the config requirements. We also ruled out console.log() as cross-domain iframes can't write messages to the top window, and console functions are often proxied.

We needed an alert-alternative that was:

• Simple, setup-free and easy to remember
• Highly visible, even when executed in an invisible iframe

After weeks of intensive research, we're thrilled to bring you...

print()

We will be updating our Web Security Academy labs to support print() based solutions shortly. The XSS cheat sheet will also be updated to reflect the new print() payloads when using cross domain iframes. We'll keep using alert when there's no iframes involved... for now.

Long live print!

- Gareth & James

Back to all articles