iframe

HTML5 Security:

Iframe hacks will only work if the SandBox attribute of the iframe is explicitly deactivated or one of the following flags are set(allow-script, allow-forms, allow-top-navigation).

Redirections:

When a site is iframed that site can redirect users who visit the parent page. This is done by setting the window.location property of its parent document. This can be used to redirect the user to a malicous site.

To inform the user about this type of activity before they get redirected you can set the attribute onbeforeunload for the iframe.

Same origin XSS:

If both the iframe and the Parent page belong to the same origin then XSS payloads can be used to edit each others pages.

//Sample Payload to DOM deface from the iframe to the parent page.
<script>
    window.parent.document.body.innerHTML = 'defacement';
</script>

This is often part of a chain attack where the hacker gets a stored XSS on a page that gets iframed somewhere else.

PreviousCORS NextHeaders

Last updated 3 years ago

Was this helpful?