Skip to content

IFrames security summary

I’ve decided to collect the various proof of concepts I’ve done and summarise why iframes are a security risk. Here are the top reasons:-

1. Browser cross domain exploits

Description:-
Because you can embed another web site inside your page, you can exploit that page and perform actions as that user and doing anything on a chosen web site.

Proof of concept:-
Safari beta 3.03 zero day

2. XSS/CSRF reflection attacks

Description:-
Using iframes embedded onto a compromised site an attacker then can reflect attacks to other servers therefore making attacks difficult to trace and having a focal point to conduct attacks.

Proof of concept:-
None available for this type of attack as it would be difficult to show the method without actually conducting an attack.

3. CSS and iframes can scan your LAN from the internet!

Description:-
By exploiting features in CSS and using iframes to check if the default IP address exists, it’s possible to get your network address range quite easily providing the network device uses the default out of the box IP address.

Proof of concept:-
CSS LAN scanner

4. LAN scanning with Javascript and iframes

Description:-
Using a similar method as above it is possible to gain your LAN information using Javascript.

Proof of concept:-
Javascript LAN scanner

5. CSS iframe overlays

Description:-
Iframes can be embedded inside each other in Firefox and you can alter their appearance to create seamless overlays with any site. This would make it very difficult for a user to know which site they are interacting with and fool them to performing an action.

Proof of concept:-
Verisign OpenID exploit (now fixed)

6. URL redirection

Description:-
Iframes also allow you to perform redirection so you can have access to URLs which normally wouldn’t be accessible. In the delicious example, the POC redirects from delicious/home to your account bookmarks and then uses CSS overlays to display your first bookmark. Firefox and a delicious account are required for the POC.

Proof of concept:-
Delicious CSS overlay/Redirection

Comments 10

  1. Marco Ramilli wrote:

    Yep, great brief Gareth.
    Thanks.

    Posted 24 Oct 2007 at 5:25 pm
  2. Gareth Heyes wrote:

    Thanks Marco :)

    Posted 24 Oct 2007 at 6:37 pm
  3. mat wrote:

    Is a simple script like this one a good protection against iframe attacks :

    <script type=”text/javascript”>
    if (top != self)
    top.location.href = location.href;
    </script>

    Thanks.

    Posted 26 Oct 2007 at 10:05 am
  4. Gareth Heyes wrote:

    Yep actually I do recommend that on my blog. Only downside is that with IE it is possible to get round it.

    Posted 26 Oct 2007 at 10:31 am
  5. Bipin 3~ Upadhyay wrote:

    @Mat:
    Just to add to what Gareth said, you can use “security=restricted” parameter to bypass it in IE.
    http://crypto.stanford.edu/framebust/

    Posted 27 Oct 2007 at 8:58 am
  6. Sreekanth wrote:

    Great brief. I am a beginner and did not know all these things could be done.

    Posted 24 Sep 2008 at 6:09 am
  7. Bruce wrote:

    I’m sorry but your iframes rant is pretty much all hogwash. You should stop with the spreading of this type of misinformation. All of those scenarios are quite childish and don’t in any case define any real security threat. In fact all of the scenarios can be attempted with just straight html. There are millions of iframes in use today. there is no evidence that they are a heightened security risk.

    Posted 15 Jan 2009 at 6:00 pm
  8. Gareth Heyes wrote:

    @Bruce LOL are you a advertising network by any chance? If not explain why it is hogwash with some detailed examples.

    Posted 15 Jan 2009 at 6:08 pm
  9. Gunner wrote:

    I’m debating the use of iframes and security is my main concern. The iframe would reference other pages at our site not external pages. But I’m trying to figure out how using iframes on my site is a security risk. It seems that iframes themselves do not have security flaws. How would someone exploit an iframe on my site if my site is not compromised and I clean all user input of any html so they cannot inject an iframe. It seems to me some other aspect of a website has to fail before an iframe can be used in a malicious way. And in those cases it is not the site’s iframes that are used, but iframes created by the attacker. Is there something I’m missing? I appreciate the article, just trying to make sure I understand iframes.

    Posted 09 Feb 2009 at 10:28 pm
  10. Gareth Heyes wrote:

    @Gunner

    The use of iframes on your web site is not a security risk as long as you are not referencing external sites.

    The point of this article was to highlight how iframes and their functionality can be used in ways in which wasn’t intended

    Posted 10 Feb 2009 at 12:08 am