IFrames security summary
Published: Wed, 24 Oct 2007 11:19:00 GMT
Updated: Sat, 22 Mar 2025 15:38:06 GMT
I've decided to collect the various proof of concepts I've done and summarise why iframes are a security risk. Here are the top reasons:-
1. Browser cross domain exploits
Description:- Because you can embed another web site inside your page, you can exploit that page and perform actions as that user and doing anything on a chosen web site.
Proof of concept:- Safari beta 3.03 zero day
2. XSS/CSRF reflection attacks
Description:- Using iframes embedded onto a compromised site an attacker then can reflect attacks to other servers therefore making attacks difficult to trace and having a focal point to conduct attacks.
Proof of concept:- None available for this type of attack as it would be difficult to show the method without actually conducting an attack.
3. CSS and iframes can scan your LAN from the internet!
Description:- By exploiting features in CSS and using iframes to check if the default IP address exists, it's possible to get your network address range quite easily providing the network device uses the default out of the box IP address.
Proof of concept:- CSS LAN scanner
4. LAN scanning with Javascript and iframes
Description:- Using a similar method as above it is possible to gain your LAN information using Javascript.
Proof of concept:- Javascript LAN scanner
5. CSS iframe overlays
Description:- Iframes can be embedded inside each other in Firefox and you can alter their appearance to create seamless overlays with any site. This would make it very difficult for a user to know which site they are interacting with and fool them to performing an action.
Proof of concept:- Verisign OpenID exploit (now fixed)
6. URL redirection
Description:- Iframes also allow you to perform redirection so you can have access to URLs which normally wouldn't be accessible. In the delicious example, the POC redirects from delicious/home to your account bookmarks and then uses CSS overlays to display your first bookmark. Firefox and a delicious account are required for the POC.
Proof of concept:- Delicious CSS overlay/Redirection