IFrames security summary

I’ve decided to collect the various proof of concepts I’ve done and summarise why iframes are a security risk. Here are the top reasons:-

1. Browser cross domain exploits

Description:-
Because you can embed another web site inside your page, you can exploit that page and perform actions as that user and doing anything on a chosen web site.

Proof of concept:-
Safari beta 3.03 zero day

2. XSS/CSRF reflection attacks

Description:-
Using iframes embedded onto a compromised site an attacker then can reflect attacks to other servers therefore making attacks difficult to trace and having a focal point to conduct attacks.

Proof of concept:-
None available for this type of attack as it would be difficult to show the method without actually conducting an attack.

3. CSS and iframes can scan your LAN from the internet!

Description:-
By exploiting features in CSS and using iframes to check if the default IP address exists, it’s possible to get your network address range quite easily providing the network device uses the default out of the box IP address.

Proof of concept:-
CSS LAN scanner

4. LAN scanning with Javascript and iframes

Description:-
Using a similar method as above it is possible to gain your LAN information using Javascript.

Proof of concept:-
Javascript LAN scanner

5. CSS iframe overlays

Description:-
Iframes can be embedded inside each other in Firefox and you can alter their appearance to create seamless overlays with any site. This would make it very difficult for a user to know which site they are interacting with and fool them to performing an action.

Proof of concept:-
Verisign OpenID exploit (now fixed)

6. URL redirection

Description:-
Iframes also allow you to perform redirection so you can have access to URLs which normally wouldn’t be accessible. In the delicious example, the POC redirects from delicious/home to your account bookmarks and then uses CSS overlays to display your first bookmark. Firefox and a delicious account are required for the POC.

Proof of concept:-
Delicious CSS overlay/Redirection

10 Responses to “IFrames security summary”

  1. Marco Ramilli writes:

    Yep, great brief Gareth.
    Thanks.

  2. Gareth Heyes writes:

    Thanks Marco :)

  3. mat writes:

    Is a simple script like this one a good protection against iframe attacks :

    <script type=”text/javascript”>
    if (top != self)
    top.location.href = location.href;
    </script>

    Thanks.

  4. Gareth Heyes writes:

    Yep actually I do recommend that on my blog. Only downside is that with IE it is possible to get round it.

  5. Bipin 3~ Upadhyay writes:

    @Mat:
    Just to add to what Gareth said, you can use “security=restricted” parameter to bypass it in IE.
    http://crypto.stanford.edu/framebust/

  6. Sreekanth writes:

    Great brief. I am a beginner and did not know all these things could be done.

  7. Bruce writes:

    I’m sorry but your iframes rant is pretty much all hogwash. You should stop with the spreading of this type of misinformation. All of those scenarios are quite childish and don’t in any case define any real security threat. In fact all of the scenarios can be attempted with just straight html. There are millions of iframes in use today. there is no evidence that they are a heightened security risk.

  8. Gareth Heyes writes:

    @Bruce LOL are you a advertising network by any chance? If not explain why it is hogwash with some detailed examples.

  9. Gunner writes:

    I’m debating the use of iframes and security is my main concern. The iframe would reference other pages at our site not external pages. But I’m trying to figure out how using iframes on my site is a security risk. It seems that iframes themselves do not have security flaws. How would someone exploit an iframe on my site if my site is not compromised and I clean all user input of any html so they cannot inject an iframe. It seems to me some other aspect of a website has to fail before an iframe can be used in a malicious way. And in those cases it is not the site’s iframes that are used, but iframes created by the attacker. Is there something I’m missing? I appreciate the article, just trying to make sure I understand iframes.

  10. Gareth Heyes writes:

    @Gunner

    The use of iframes on your web site is not a security risk as long as you are not referencing external sites.

    The point of this article was to highlight how iframes and their functionality can be used in ways in which wasn’t intended