[Owasp-testing] Frame Hijacking

Luca.carettoni luca.carettoni at ikkisoft.com
Tue Aug 19 09:28:07 EDT 2008


Hi George,
               As far as I know, XSS is just one of the possible attack vectors.

For instance, I was thinking about exploiting a trivial frame hijacking where XSS is not required.

The layout of a webapp uses named frames (name attribute in the HTML FRAME tag); if a user could be coerced into following a malicious link, 
an attacker could control the frame content.
<a href="http://blablablabla/" target="NAME_ATTRIB">New Content Frame</a>
The exploitability of this issue depends on the user's browser. In IE7, it works even if I use two windows of the same instance.

The best source regarding frame policies and security is http://crypto.stanford.edu/websec/frames/navigation/

Bye,
Luca "ikki"

-----Original message-----
From: gsiere at comcast.net
Date: Tue, 19 Aug 2008 14:04:55 +0200
To: "'Luca.carettoni'" luca.carettoni at ikkisoft.com
Subject: RE: [Owasp-testing] Frame Hijacking

> Ikki,
> 
> Good catch, and this is actually a new one on me;
> 
> Help me out here - in order to conduct a frame hijack, (depending on the
> security policy/settings of the specific browser) the parent page (or
> another frame) would have to have an XSS vulnerability that enables you to
> point the hijacked frame to a new location, right?
> 
> This wouldn't work across two instances of a browser, would it? Browser 1
> updating location of a frame on a page in browser 2?  
> 
> The explanation I found was that "a malicious page navigates an iframe on a
> legitimate site to malicious content".  Just trying to figure out the
> mechanics of how that would work, and the best I can think of is an XSS on
> the legitimate site. Am I wrong? Are there better exploit mechanisms?
> 
> Thanks,
> -George
> 
> -----Original Message-----
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Luca.carettoni
> Sent: Tuesday, August 19, 2008 5:33 AM
> To: Owasp-testing at lists.owasp.org
> Subject: [Owasp-testing] Frame Hijacking
> 
> Hi folks,
>            I am aware that you are going to close the OWASP Testing Guide
> within this month but I have just noticed a small lack. 
> I was not able to find any reference regarding Frame Hijacking (e.g. via
> named frames).
> 
> >From the technical point of view, how do you evaluate this vulnerability in
> term of impact?
> This flaw can be used to facilitate phishing traps, however I'm wondering if
> it should be considered as a departure from best practice or a "real" flaw. 
> I'm looking forward to receiving your comments.
> 
> Since I am probably late, it could be a reminder for the next testing guide
> :)
> 
> Cheers,
> Luca "ikki" 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> 


More information about the Owasp-testing mailing list