Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An iFrame tag is used to bring in other web pages into your own. Some pages restrict this (to prevent clickjackin and phishing, among other things) but can be awesome for developers. The src attribute is used for the location of the page. Placing a javascript: URI can lead to XSS here and in forms and anchor tags.

Interestingly, the data used in the URI can be HTML encoded and will still render as we want. When using data: URIs here the code can be executed but it's executed on the null origin. To prevent attacks on the URLs, a developer can restrict the domain to only contain http/s: in it. Still, redirects can be made from the page.

Cross origin pages normally cannot access the page. However, there is some data still accessible. The only callable functions are focus, blur and postMessage. There are also readable properties like frames, top, opener, parent and others. Additionally, the location.href property is writable.

iFrame has a srcdoc attribute as well. It's similar to the src but the iFrame will take in data for the doc and share the same origin as the original page. These can be HTML encoded as much as you want as well.

Iframes have a sandbox property which is off by default. If just "sandbox" is used then all protections are on but can also have explicit protections turned on. There are several flags that change how the upper layer can be redirected. There are some function related ones, like allow-downloads.

allow-popups allows window.open() to be called in order to open new pages, but this page is still sandboxed. Adding allow-modals allows for the escaping of the sandbox on calls with a null origin. allow-popups-to-escape-sandbox will remove the sandbox on popped windows.

allow-same-origin will set the origin to non-null it will keep the original origin of the call instead of a unique origin with separate cookies. allow-scripts allows JavaScript to be executed within the frame. There is also a CSP sandbox attribute for the iFrame as well.

window.open has three parameters. URL is the obvious one. The second one is the name of the window. If there already is a window with the same name as provided then it will provide a reference to the other one named this way.

There are six ways to generate named windows. Anchors, forms, iframes, objects and embed tags, as well as the window.open.

There are some other details on detecting page loading and other things. Overall, just a great references for iframe protections and windows in the browser.