Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cascading up iframes across domains
Posted by: adamN
Date: April 14, 2009 12:22PM

Does anybody have a link to either a theoretical discussion or general issues surrounding the fact that an iframe busting technique like this works (from within an iframe):

if (window.top !== window.self) { setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}

But this does not:

var1 = window.top.href;
document.write(var1);

Are operators allowed but getting variables outside scope not? I'm trying to do a few things. One is to grab the HTML outside of a cross domain iframe, the other is to prevent that grabbing, and the third is to prevent the framebusting technique mentioned above from outside the iframe.

This article is interesting so far:

http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/

Options: ReplyQuote
Re: Cascading up iframes across domains
Posted by: Kyo
Date: April 14, 2009 02:57PM

well I'm not an expert on the subject, but the frame control options are definitely limited when crossdomain. I guess getting the href could be potentially harmful because of sessions and whatnot. If a "href" even exists

Options: ReplyQuote


Sorry, only registered users may post in this forum.