Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Protected JS website Inside Iframe
Posted by: dimgel
Date: July 04, 2007 11:48PM

Hello,

First, great work I have been reading the past few days the blog and is a great resource. Let me go to the point and see if I can get some help, also Im not 100% sure this post should be in this category. Here is the thing, I want to place a 3rd party site inside a frame/iframe but it have a line of JS that doesnt allow me to keep it there, it just jump to the top when is loaded.This is the JS code that have the site I want to load:

<script type="text/javascript">if(top != self){top.location.replace(self.location.href);}</script>

This is the code I have in my html file which resides in my hosting, lets call it test.html

<iframe id="myframe" src="http://protectedsite.com"></iframe>

So I was wondering if there is a way to force it or override that so it can be loaded in "test.html" iframe/frame. Also another point is that the site uses other JS functions which I dont want to be overriden. I have been trying to find a solution for a week already so Im not comming here without looking first at google and the forums here, But I havent find or maybe I have overlooked any code posted here previously, I said that because I know maybe is anoying try/do help people which dont make a previous effort/research. But I have tried and tried and searched for a workaround with no luck so far, so any help will be appreciated.

Thanks in advance.

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: kuza55
Date: July 05, 2007 01:38AM

This only works for IE: http://crypto.stanford.edu/framebust/ but that might be enough for you.

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: sirdarckcat
Date: July 05, 2007 02:02AM

You could do this:

<script>
onbeforeunload=new Function("return false");
</script>

that will show a confirmation window.

But the ideal case scenario would be..

<script>
top={};
</script>

anyway, this doesn't work :(

Greetz!!

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: ma1
Date: July 05, 2007 08:38AM

<script>
location.replace = function() {}
</script>
Works in IE, but Firefox seems smarter than that... as usual ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: dimgel
Date: July 05, 2007 02:06PM

Kuzza55, sirdarkcat, ma1,

Thanks for the help I tried those solutions and all of them work in some way, others better than another in different scenearios.

Ex.
/**
This only works for IE: [crypto.stanford.edu] but that might be enough for you.

[this work great on IE but after you follow to other page with the same site it jumps anyway]
**/
/**
<script>
onbeforeunload=new Function("return false");
</script>

[This is great since works in both FF and IE but isnt there a way to avoid/override the alert window too?]
**/

/**
<script>
location.replace = function() {}
</script>
Works in IE, but Firefox seems smarter than that... as usual ;)


[Works perfectly in IE, would be greate a workaround similar for FF]
**/

As I said before thanks this has been a lot of help, since I was looking into this for a week with either a close result.

Any here is another situation, I dont want to abuse of your help so after I explain the next issue continue reading:

The site have a form and lets say I want to communicate with it I have tried using something like

function setText(text2) {
var doc1 = document.getElementById('restricted').contentWindow.document;
doc1.forms[0].email.value = text2;
}
{"restricted has been the name I have given to the iframe with the 3 above solutions"}

but I get an error saying Access Denied. But as I said I dont want and will not abuse of your help assking and asking, so basicly I need to get this done, but seems like is not on my hands since also will involve other similar things, so I ask this, is there any Slacker{well versed in DOM, XSS, JS ETC} which will want some freelance, I dont post it in the Jobs sections since is not a Job but mainly a task and I see there only serious and permanent Jobs. So if somebody is willing to work please msg me and we can discuss it further to see if we can get something going,or if you know a good place to find help and you feel this is not the right place to do it, let me know and I will remove this comment.

Again thanks for the help.

Options: ReplyQuote
Code Example
Posted by: dimgel
Date: July 05, 2007 10:14PM

Btw here is the code Im using where I get Access is Denied when trying to communicate with the 3rd party loaded site form in my iframe:

<html>
<head>
<script>
location.replace = function() {}
function setText(text2) {
var doc1 = document.getElementById('restricted').contentWindow.document;
doc1.forms[1].elements['email'].value = text2;
}
</script>
</head>
<body>
<p>
<input id="textfield" type="text" value="myemail@mysite.com" />
<input id="myButton" type="button" value="Change Text" onclick="setText(document.getElementById('textfield').value );" />
</p>
<iframe id="restricted" src="http://protectedsite.com"></iframe>


</body>
</html>

I get JS error "Access is Denied" because Cross Domain policy tho.

Any help or anybody willing to work on this task (paid of course, just let me know how much to see if I can afford it) solving this will be greatly appreciated.

Thanks in advance

Options: ReplyQuote
Re: Code Example
Posted by: ma1
Date: July 06, 2007 04:48AM

Hrm, looks like you're trying to parasitize a 3rd party site as a spam rely or something.
Nasty...

Looks also like you're looking in the wrong direction.
Reliably breaking the same domain policy in a cross-browser way is quite unfeasible (luckily), because if a mean to do that existed it would be immediately marked as a critical security bug.
This forum wouldn't even exist, because universal XSS would be a browser built-in.

If I was a bad guy, I'd try to CSRF the victim form or XSS the page by HTML injection.

But I'm a boyscout :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: humble
Date: July 31, 2007 10:03AM

"Access is Denied" because Cross Domain policy ...

If the victim site is not a virtual server, why not set up a subdomain of the calling site to resolve to their IP address? Then the 2 different servers will be in the same "domain" as far as script is concerned...

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: dimgel
Date: August 04, 2007 09:40PM

Hello humble,

Thanks for the Advice. Sorry for my ignorance, If understood correctly you meant this: lets say victim site is victim.com and my site is slacker.com then I should createa a subdomain in slackers.com lets say killcrossdomain.slackers.com which will resolve to the victim.com ip address, is that correct? If so any advice on how to do that sorry again for assking but I will be able to pay some cash to who can help me to sort this issue out.

Thanks

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: Om
Date: August 14, 2007 07:40AM

I had a very specific question and was about to create a new topic; but looks like I can post the question here.

Jeremiah mentioned about Collin Jackson's Anti-Frame Busting Code in IE using "security=restricted". (The link to the article has been provided by Kuza.)

But then that was way back in 2005. Has there been any Anti-Anti-Frame Busting solution to bypass this particular "security=restricted" thingy?

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: kuza55
Date: August 14, 2007 08:58PM

I don't think you're going to be able to get past it directly, but something you could do is have some script which rather than breaking out of the frames, simply detects whether it is inside an iframe (using both the traditional check and checking if you can access the window.top element, in case you are in a restricted frame), and then if you have determined you are in a frame, simply inform the user that the page is not allowed to be printed in the frame, and a link with the target set to _top (which won't open it in the calling site, but will rather open it in a new window) and then call the stop(); function to not render the rest of the site.

Options: ReplyQuote
Re: Protected JS website Inside Iframe
Posted by: Gareth Heyes
Date: August 21, 2007 07:43PM

http://www.businessinfo.co.uk/labs/csrf_defend/iframe_protection.php

Options: ReplyQuote


Sorry, only registered users may post in this forum.