iFrame injection and Clickjacking
iFrame refers to an inline frame, it is used to embed one HTML document into another HTML document.Keep on reading , i will show you how to do that.
1) If we see the URL we can see the height and width parameters are 250 and 250.
2) lets play with them
changing these figures we can see the effect on the screen. The window shrinks to our given size.
Lets Bake some code now… Not a coder ? I will bake it for you
A simple HTML code to pull the website into the iFrame which i have embedded into my code.
Save the above code in .html format and open it in a browser. We see that the iframe is called or embedded into a new html page with iframe title.
Now let’s steal a few clicks
Below is a normal looking page for a website offering free movies, everyone wants FREE movies.
Now we have another page to book tickets.
Now lets bake come code again.
The purpose of the above code is to embed both the frames on top of each other.Below is the output.
I have changed the transparency and size of the two so that you can see clearly. we have 2 confirm buttons, we will adjust them to overlap each other.
Now the Confirm buttons are overlapped, if we click the confirm button to get free movies we will unknowingly be clicking the other page.An attacker will make the page totally transparent so that the victim is not able to see the other page, i have just kept the opacity to 70% for understanding.
Now lets click and see the magic.
See that your stolen click has actually booked 10 movie tickets.
Now that you know how much damage this can cause, I will provide the remediation as well.I don’t want the users to fear every moment they click.
- Frame bursting
- Double frame bursting
The first two options convey not to load the webpage into an iFrame. We will be keen on the X-Frames part.
X-Frame is set in the response header of the webpage which will tee the browser whether to load the page into the frame or not.
We have several options/directives for that as well.
X-Frame-options: SAME ORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
X-Frame-options: ALLOW FROM source
The page can only be displayed in a frame on the specified origin.
The page cannot be displayed in a frame, regardless of the site attempting to do so.