![]() He discovered that if the login page of Citibank was loaded in an iframe, due to the frame rules at the time, the address of this frame could be changed by a different page in another window. In 1999, security researcher Georgi Guninski published his research on the dangers of frame navigation. In the mid-1990s, a web page could redirect any frame to a different web address at any given time. This can be achieved quite simply by adding a target attribute to anchor elements and forms, or by specifying the window name in which the URL will be loaded as a second parameter in JavaScript’s window.open method. Imagine two neighboring frames in a web page designed as an e-book reader, where one frame is used to view the table of contents for the book while the links clicked in that content will launch in the other frame. Quite often, an action in one frame - clicking a link, for example - would directly affect a neighboring frame. However, the introduction of frames to HTML changed this, making it necessary to handle multiple windows on the same web page. Invention and Development of Framesīefore the invention of frames, you could be certain of encountering only a single window object on any given website. Hasan is a Security consultant at Securemisr, a former Netsparker employee, and a bug bounty participant. We’ll also outline a method for preventing this vulnerability. In this blog post, we explore one of these aspects, inspired by security analyst Mustafa Hasan’s research. But malicious hackers are also attracted to this vulnerability because there are aspects of the frame injection attack that can allow hackers to redirect users to other malicious websites used for phishing and similar attacks. Cross-site scripting is naturally prioritized by bug bounty hunters since it seems easily exploitable and effective. #Iframe security codeFrame injection is a type of code injection vulnerability classified by OWASP in its A1 Injection category. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |