{"id":54,"date":"2007-09-10T15:22:13","date_gmt":"2007-09-10T10:22:13","guid":{"rendered":"http:\/\/codeinmybug.wordpress.com\/2007\/09\/10\/iframes-to-be-or-not-to-be\/"},"modified":"2008-05-07T15:12:49","modified_gmt":"2008-05-07T09:42:49","slug":"iframes-to-be-or-not-to-be","status":"publish","type":"post","link":"https:\/\/projectbee.org\/blog\/archive\/iframes-to-be-or-not-to-be\/","title":{"rendered":"IFrames – To be or not to be?"},"content":{"rendered":"

Update:<\/strong> Aah. It’s not that there couldn’t have been any better news :P, but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks<\/a>. \ud83d\ude42
\nOh and Yes! Ma1 Rocks too …;)<\/span><\/p>\n

I have been pretty busy since the last few weeks (and this trend is likely to continue for the coming weeks). Thus, my posts have been more of “news-flashes”. Apologies for that. I’ve now decided to blog about things\/technologies I am working on. (Expect some write-ups on security scanners like w3af and code auditing tools like LAPSE.) However, I couldn’t stop myself from putting forward this debate on IFrames. First, let’s see what are the *evil* things that IFrames can do for… *cough*… you<\/p>\n

CASE-I<\/strong>
\nA couple of days ago, Bank of India site was compromised<\/a>. It was serving malwares to the visitors. This was done by “drive-by downloads<\/a>“. The criminals were (invisible) IFRAMES.<\/p>\n

CASE-II<\/strong>
\nI hope most of you are aware how dangerous Javascript can be. Of course, I am referring to XSS attacks. However, the recent research, notably from Jeremiah Grossman, RSnake <\/a>and Gareth Hayes<\/a>, showed another shockingly dark side of XSS with CSS (yes, Cascading Style Sheets \ud83d\ude42 ). The criminals here are IFrames, visited attribute, etc.<\/p>\n

CASE-III<\/strong>
\nGareth also gave a proof of concept on his blog to perform CSRF using CSS<\/a>, even when Javascript is disabled. He (very wisely) used CSS to change the LOOK and FEEL of a Submit button to a link. Now, when a *smart* user is surfing the web with javascript disabled, he’d not worry about clicking a link, and may end up clicking on the *link* to submit the form.<\/p>\n

CASE-IV<\/strong>
\nYou decide… :).
\nI have anyways left some other known issues<\/a>, I think.<\/p>\n

Gareth has been preaching the evil nature of IFrames for quite some time now. Yesterday, he made a new entry titled “IFRAMES ARE EVIL<\/a>” on his blog. He suggested using some attributes\/tags to disable\/enable iframes etc. Iframes have been on my mind for quite some time. I believe that Content Restriction, once introduced, can solve a number of issues. Till then, I believe, Maone’s NoScript can come to the rescue by proving optional feature to disable iframes. I know, this is definitely not a attractive suggestion, but who knew we’d have to browse with Javascript disabled!<\/p>\n

Moreover, I thought it’d be a good opportunity to see what other researchers have to say about it. So, I posted it to the Slackers forum<\/a>. I am watching keenly. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

Update: Aah. It’s not that there couldn’t have been any better news :P, but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks. \ud83d\ude42 Oh and Yes! Ma1 Rocks too …;) I have been pretty busy since the last few weeks (and … <\/p>\n

Continue reading “IFrames – To be or not to be?”<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[9,12,24,25,33,38,168,167,57],"tags":[27,41],"class_list":["post-54","post","type-post","status-publish","format-standard","hentry","category-bug","category-csrf","category-hack","category-hackers","category-loophole","category-news","category-security","category-webappsec","category-xss","tag-iframe","tag-noscript"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pf2XR-S","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/comments?post=54"}],"version-history":[{"count":0,"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/posts\/54\/revisions"}],"wp:attachment":[{"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/media?parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/categories?post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/projectbee.org\/blog\/wp-json\/wp\/v2\/tags?post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}