Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS via child document?
Posted by: cr101
Date: July 31, 2012 03:52PM

I can embed an iframe in a website, but I can't point it to anything along the lines of "javascript:alert(1)". Is there a page I can build that can run javascript in the context of the parent document? SOP prevents me from directly accessing things like parent.document. Any ideas?

Options: ReplyQuote
Re: XSS via child document?
Posted by: Albino
Date: August 12, 2012 01:31PM

There isn't much you can do in this situation. You can redirect the page, and if the parent uses X-Frame-Options: SAMEORIGIN then you bypass that and launch UI-redressing attacks; see http://www.skeletonscribe.net/2012/06/x-frame-options-sameorigin-warning.html

-------------------------------------------------------
Research blog

Options: ReplyQuote


Sorry, only registered users may post in this forum.