Using Iframes to inject JavaScript

It was always my one of the doubts if we have any control over webpage being displayed in an iframe. I used to think it is just a window to the website being shown and my JavaScript can’t access it or modify it. But I never believed it. And same was the case; I used to think about Android’s webview component or Qtwebview until I found there is a function which can communicate in between.

Today, when I was surfing Internet and it just came to my mind that let write some JavaScript code and show all the cookies. So, I wrote the code to show all cookies in Scratchpad (Mozilla Developer Tool to write JavaScript code and execute). As I thought, it displayed all the cookies related to the website I was on and not all the cookies stored in my browser. Then I said if someone has my add-on installed in his browser then it is very easy to do this type of stuffs. I wished if I could install this script on victim’s website. Obviously that is not possible, but it could be if I use iframes, that way I am on that website. I realised this is XSS, some of my friends talked upon it two days back.

Then I searched how to insert scripts in iframes and call them. It was very easy than I thought it would be. I can change anything in that page. Then I changed srcto Facebook and nothing showed up and same happened with Google. After searching about this, I found out that they set x-frame-optionsto denyin their header response. The DOM people have no power over manipulation of response header.

Browsers implement this thing in order to prevent the attacks I was trying to do. The famous attack using this is Clickjacking, in which the hacker or spammer shows the original website under the transparent layer of its own. The user actually clicks the transparent layer of the website but not the legitimate website in iframe and thus running the hacker’s script. Facebook has been a big victim of it, the attack is known as Likejacking. I didn’t research on it more but they have implemented a double-check process which is not much reliable. So, your security is more on your common sense.

Conclusion is that you can’t breach Google’s security but can hack other websites which do not use x-frame-options in their header response. Better use it in your website.

For any help on trying it out, mail us at namaste@gawds.in

Helpful Links:

_http://www.tutorialspoint.com/javascript/javascript_cookies.htm _

http://stackoverflow.com/questions/18369410/how-to-add-javascript-code-into-existing-iframe-using-jquery

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

http://stackoverflow.com/questions/220231/accessing-the-web-pages-http-headers-in-javascript

http://research.zscaler.com/2012/01/example-of-likejacking-facebook.html

http://stackoverflow.com/questions/8524449/google-homepage-will-not-load-in-an-iframe

http://madskristensen.net/post/Iframe-cross-domain-JavaScript-calls

_ _

PS: This is totally an educational post and is intended for letting people know about Clickjacking attacks.