Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
iframe/google gadget xss
Posted by: Albino
Date: January 25, 2011 02:03PM

A certain page has

<iframe src="arbitrarypage"></iframe>

Is there any way to use this to XSS the page? I thought I could just access the parent page like alert(top.location) but this doesn't work; it looks like the SOP doesn't allow it. Will it work in any browsers? I swear I've seen <iframe> injection referred to as XSS in the XSS cheatsheet and other places. Yet it seems like this can't be exploited at all (it's non-persistent). I can't even use it for phishing since the iframe size isn't under my control.

(arbitrarypage.html.html has to be a valid url so no src="javascript:eval" etc)



Edited 2 time(s). Last edit at 01/26/2011 08:14AM by Albino.

Options: ReplyQuote
Re: iframe xss
Posted by: PaPPy
Date: January 25, 2011 07:59PM

no onload? onerror?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: iframe xss
Posted by: Albino
Date: January 26, 2011 06:53AM

Nope, I can the iframe src any page but it has to be a legitimate URL.

Edit: What I'm triggering is a google gadget preview. Injecting a gadget with the content:

<Module>
<ModulePrefs [edited out]/>
<Content type="url" href="http://mysite.html"/>
</Module>

Causes the code
<iframe src="http://myssite.html>
to appear on the victim website. Maybe there is another attack vector using a different feature of google gadgets; I don't really know anything about them.



Edited 1 time(s). Last edit at 01/26/2011 08:14AM by Albino.

Options: ReplyQuote


Sorry, only registered users may post in this forum.