Hi there all,

i haven't showed myself lately

and I hope my english is readable grammar isn't one of my strongest points ;p

but I came up with something wich might already has been used or
already has been tought about.
Anyway I don't know so I just trow it here to see wether I get some response :).

its about the iFrame bursting thing.

How well can this be used the bad way? I know it is used to burst out of iframe
inclusion.

so for example, we get a user to enter a xss hole in any form normaly if we want to keep controll over that person it is likely to setup an iframe and cover up the whole page so no one notice it.

tho the problem here is that still in the url bar the path if the user is moving to another page dosn't change..

well we could actually transfer our "shell/payload" into the iframe and with it we could send the iframeburst wich will lead to the actual page so also the user url page is changed.

i'm also researching crossdomain option. but i recently started this so i don't have that mutch info about it.

did anyone already came up with such a technique?


yours spoof

about the cross domain thing.

i don't think it is possible becouse you have to inject code into another site wich you do not have acces to. wich is a good thing ofcourse.

i'm still testing tho



Edited 1 time(s). Last edit at 06/01/2010 04:59PM by SpoofGhost.

What about beef?

http://www.xssed.com/archive/author=PaPPy/

If you have found xss in a page, you could use frame bursting code to redirect the person to your page.

At least for me, it is the owner of the page that put the frame burst code in his own page, so (among other things) this make difficult for the attacker to execute a propper and silent xss. Because if that page is loaded inside an iframe, the browser will burst out of the iframe before execute the actual js code you injected. Check my other thread here in this forum I had exactly that problem. I found javascript codes for anti bursting, they work, but after the execution of the javascript anti bursting code, the loading of the page gets aborted, so its not useful for xss.

@ pappy, not sure if they use such a technique and i'm also not quite sure if i can mange to work. but if i do it would be quite a flaw. at first i tought it would work but that seems not the case so i have to figuere out if it is possible at all.
in some cases i'm sure it would be if you are able, like for example a page where you already know that a presistend xss bug exists in that case you can just post it to that page afther that you can let it explode the frame.



@ ne0139.

that isn't exactly what i was talking about.
Its more like exploiting the frame bursting code rather then stopping the frame burst. The thing i'm trying to get accomplished is to let the frame burst afther i injected code to the desired page, so the URL bar is getting update wich would be great for stealth ofcourse alot of people would not get suspicous if they see in the URL bar www.somesite.com/page1 even tho they clicked a link to /page2.
anyway it would be alot nicer if there where actually standing /page2
that why they could never see unless they know the source code and see that it is diffrent then usual.. even so it's hard to know for common i-net users.