• 4 Security Concerns with iframes Every Web Developer Should Know
  • Piumi Liyana Gunawardhana
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: jaredliw
  • Proofread by: Usualminds, KimYangOfCat

4 Iframe security Issues Every Web Developer should Know about

Iframe is one of the oldest and simplest content embedding techniques in Web development and is still used today. However, the use of iframe in practice may introduce some security risks and open the door to attackers.

Therefore, in this article, I will discuss four security risks to be aware of before using iframe.

1. The iframe injection

Iframe injection is a very common cross-site scripting attack (XSS).

Iframe uses multiple tags to present HTML documents on a Web page and redirect users to other web sites. This behavior allows a third party to implant a malicious executable, virus, or worm into your Web application and run it on the user’s device.

We can find out where the iframe is injected by scanning the HTML sent by the Web server. All you need to do is open a page in your browser and enable view Source to view HTML. Since these iframes usually refer to native IP addresses, you should search for the

For example, let’s look at the following code:

23 wp + / + + + + + % % 0 the GPL a % 3 cscript + Language % 3 d % 27 javascript % 27% % 0 3 e a + + + + 21 - % 3 c % % 0 a + + + + document. The write 273 c69667261 28 unescape % 28% % 6d65207372633d27687474703a2f2f696e666 f736563696e737469747574652e636f6d2f272077696474683d273127206865696768743d273127207374 796 c653d277669736962696c6974793a2068696464656e3b273e3c2f696672616d653e % 27% 29% 29% 3 b % 0 a + + + + / - % 3 e % 0 a + + + + % 3 c/Script % 3 eCopy the code

It looks normal and seems to be code associated with the site. In fact, it is the root of the problem. If you decoded it with a JavaScript function, the output would look like this:

#wp/GPL <Script Language= 'Javascript' > <! - the document. The write (unescape (' 3 c696672616d65207372633d27687474703a2f2f696e666f73656369 6e737469747574652e636f6d2f272077696474683d273127206865696768743d273127207374796c653d 277669736962696 c6974793a2068696464656e3b273e3c2f696672616d653e ')); / / -- > < / Script >Copy the code

Again, this looks legitimate because the attacker used the GPL and WP and set the language to JavaScript. The numbers and letters appear to be hexadecimal, so we can then use a hexadecimal decoder to decode them, resulting in the following:

<iframe src='https://www.infosecinstitute.com/' width='1' height='1' style='visibility: hidden; '></iframe>
Copy the code

Therefore, when you find an iframe in HTML and discover that it was not placed by you, you should investigate the cause as soon as possible and remove it from the site or database.

2. Cross-framework scripting attacks

Cross-framework scripting attacks (XFS) combine iframe and JavaScript malicious scripts to steal user data.

An XFS attacker convinces a user to visit a web page under his control and uses iframe to refer to a legitimate site combined with a malicious script. When users enter credentials to legitimate websites in iframe, malicious JavaScript scripts log their input.

This attack can be prevented by setting Content-Security-Policy: frame-rooted and X-frame-options in the Web server configuration.

Click hijacking

Clickjacking attacks trick users into clicking on hidden web elements. As a result, users could inadvertently download malicious programs, visit malicious websites, provide passwords or sensitive information, transfer money or make online purchases.

An attacker typically performs clickjacking by overwriting an invisible HTML element on a website with an iframe.

The user thinks he clicked on the page that is displayed; instead, he clicked on the hidden element that overlays it.

There are two main strategies to protect yourself from clickjacking:

  • The most popular method on the client side is Frame Busting, but this is not the best solution because iframe is simply ignored.
  • The best approach on the server side is to useX-Frame-Options. Security experts strongly recommend addressing clickjacking from the server side.

4. Iframe phishing

Consider a social platform that allows users and developers to use iframe to incorporate third-party web pages into their fan pages or other applications.

Attackers often abuse this feature to use iframe in phishing attacks.

By default, the contents of an iframe can be redirected to the top-level window. Therefore, an attacker may exploit a cross-site scripting (XSS) vulnerability to implant phishing code as iframe into a Web application, directing users to a phishing site.

As an example, consider the following code:

<html>
  <head>
    <title>Infosec Institute iFrame by Irfan</title>
  </head>
  <body>
  <iframe src="/ user/piumi/" width="1450" height="300" frameborder="0"></iframe>
  <iframe src="Http://phishing.com/wp-login" width="1450" height="250" frameborder="0"></iframe>
  </body>
</html>
Copy the code

The code above contains an iframe embedded phishing site. The user would be redirected there, and if the user did not pay attention to the url bar, the attacker could easily obtain the user’s credentials.

Iframe phishing attackers cannot forge url bars, but they can trigger redirects that manipulate what the user subsequently receives.

This problem can be avoided by replacing the allow-top-navigation property value in the Sandbox.

A few final thoughts

Iframe can improve user interaction. However, when you use an iframe, you are dealing with content that comes from a third party that you have no control over. As a result, iframe can often pose a threat to your application.

However, we should not stop using iframe because of safety concerns. We need to be aware of these issues and take precautions to protect our applications.

I think this article will help you identify security issues with iframe. Let me know what you think in the comments section below.

Thank you for reading!

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.

The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.