Elevating Cross-Frame Scripting (why it matters more than experts think…)

3 years ago 174
BOOK THIS SPACE FOR AD
ARTICLE AD

Ethan Roberts

Are you able to hijack the source of an iFrame, or execute JavaScript inside? This attack (called an XFS attack) typically is considered quite a low vulnerability. Here’s how you can pivot it to a higher severity issue.

What is Cross Frame Scripting?

Cross Frame Scripting (known as XFS) is a vulnerability that doesn’t seem so severe to most people. Frame Hijacking/Injection, etc are all included in this category. XFS is where you are able to control the source attribute of an iFrame, or somehow control scripts inside of it. From here you can achieve somewhat “sandboxed” XSS, where the scripts do not really effect the parent site.

What can we do with it

Many bug bounty programs will tell you this isn’t a very severe vulnerability. However, that is not the case. Here are a list of moderate impact actions you are able to make:

Key Logging on Internet ExplorerRedirection of parentDepending on the attributes of the frame, you can overwrite page contents

This list will be updated constantly, with more issues I find being added as soon as I find them.

Key Logging on Internet Explorer

There is a bug in all versions of Internet Explorer (including the most recent) that can leak keystrokes across frames. This is a memory leak, due to a focusing issue with multiple frames. Here is code you will put in a frame you have control over:

This code, when inside an iFrame on example.com, will log keystrokes on the parent page.

Parent Redirection

There are many methods to this, the method I found that works most often includes jQuery and form submissions. If you include this script:

You will redirect to https://example.com. However, it requires the user to allow redirections in general:

This pop-up won’t display if they have already set “Always allow pop-ups and redirect from https://…”

Overwriting Pages

This is kind of self explanatory, if the iFrame does not set specific display or style attributes, you can expand the iFrame and overwrite page content. An example of this is creating an overlay that tricks the user into clicking malicious content. Perhaps an embedded login page? Or maybe a reverse clickjacking-esque style attack.

Read Entire Article