XSS via child document?

Cenzic 232 Patent

Paid Advertising

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

XSS via child document?

Posted by: cr101

Date: July 31, 2012 03:52PM

I can embed an iframe in a website, but I can't point it to anything along the lines of "javascript:alert(1)". Is there a page I can build that can run javascript in the context of the parent document? SOP prevents me from directly accessing things like parent.document. Any ideas?

Options: Reply•Quote

Re: XSS via child document?

Posted by: Albino

Date: August 12, 2012 01:31PM

There isn't much you can do in this situation. You can redirect the page, and if the parent uses X-Frame-Options: SAMEORIGIN then you bypass that and launch UI-redressing attacks; see http://www.skeletonscribe.net/2012/06/x-frame-options-sameorigin-warning.html

-------------------------------------------------------
Research blog

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login