The following is not a bug in the web browsers - it's supposed to work this way - but is useful in some cases like the one described.
In one of the Javascript files loaded by an endpoint of a private program, they were taking the value of window.name and passing it to something like eval([here]) or setTimeout([here], [some_milliseconds]), I don't remember correctly... The thing is that the value of window.name was being evaluated as Javascript code, so window.name = 'alert()' showed an alert().
To use this behavior for an attack, you have two options:
- if the endpoint is frameable from any domain, you can create an
<iframe name='[javascript_code_here]' src='[vulnerable_endpoint]'></iframe> - if it's not frameable, you can set
window.name = '[javascript_code_here]'in your own domain and then redirect to the vulnerable endpoint
The one I used was the second option. 💰