Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/iframe-traps.md

48 lines
4.7 KiB
Markdown
Raw Normal View History

GITBOOK-4360: No subject
2024-06-14 10:12:26 +00:00
# Iframe Traps
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Basic Information
This form of abusing XSS via iframes to steal information from the user moving across the web page was originally published in these 2 post from trustedsec.com: [**here**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **and** [**here**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams).
The attack start in a page vulnerable to a XSS where its possible to make the **victims dont leave the XSS** by making them **navigate within an iframe** that occupies all the web application.
The XSS attack will basically load the web page in an iframe in 100% of the screen. Therefore, the victim **won't notice he is inside an iframe**. Then, if the victim navigates in the page by clicking links inside the iframe (inside the web), he will be **navigating inside the iframe** with the arbitrary JS loaded stealing information from this navigation.
Moreover, to make it more realistic, its possible to use some **listeners** to check when an iframe changes the location of the page, and update the URL of the browser with that locations the user things hes is moving pages using the browser.
<figure><img src="../.gitbook/assets/image (1248).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png">https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png</a></p></figcaption></figure>
<figure><img src="../.gitbook/assets/image (1249).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png">https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png</a></p></figcaption></figure>
Moreover, it's possible to use listeners to steal sensitive information, not only the other pages the victim is visiting, but also the data used to **filled forms** and send them (credentials?) or to **steal the local storage**...
Ofc, the main limitations are that a **victim closing the tab or putting another URL in the browser will escape the iframe**. Another way to do this would be to **refresh the page**, however, this could be partially **prevented** by disabling the right click context menu every time a new page is loaded inside the iframe or noticing when the mouse of the user leaves the iframe, potentially to click the reload button of the browser and in this case the URL of the browser is updated with the original URL vulnerable to XSS so if the user reloads it, it will get poisoned again (note that this is not very stealth).
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue Copy permalink