iframe

Overview

The <iframe> tag is used to embed an HTML document in another HTML document. If the source of the inserted document is located on another origin, the same origin policy will block any access to the content of the other document for both of them.

Open redirect

Child documents can view and set location property for parents, even if cross-origin top.window.location.

For example, if vulnerable-website.com contains the following iframe:

<iframe src=//malicious-website.com/toplevel.html></iframe>

where https://malicious-website.com/toplevel.html is:

<html><head></head><body><script>top.window.location = "https://malicious-website.com/pwned.html"</script></body></html>

when the iframe is loaded, the parent will be redirected to the https://malware-website.com/pwned.html page, even if the child document is loaded from a different origin. In this case, the same origin policy will be bypassed because the iframe is not being "sandboxed", check out the sandbox iframe attribute.

References:

<meta> and <iframe> tags chained to SSRF

Previousbase Nextlink

Last updated 9 months ago