# Iframe Traps
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Basic Information
Hii njia ya kutumia XSS kupitia iframes kuiba taarifa kutoka kwa mtumiaji anayesafiri kwenye ukurasa wa wavuti ilichapishwa awali katika hizi posti 2 kutoka trustedsec.com: [**hapa**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **na** [**hapa**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams).
Shambulio linaanza katika ukurasa ulio hatarini kwa XSS ambapo inawezekana kufanya **waathirika wasiondoke kwenye XSS** kwa kuwafanya **wasafiri ndani ya iframe** inayochukua sehemu yote ya programu ya wavuti.
Shambulio la XSS kimsingi litapakia ukurasa wa wavuti ndani ya iframe katika 100% ya skrini. Hivyo, mwathirika **hatagundua yuko ndani ya iframe**. Kisha, ikiwa mwathirika anasafiri kwenye ukurasa kwa kubofya viungo ndani ya iframe (ndani ya wavuti), atakuwa **anasafiri ndani ya iframe** na JS isiyo na mipaka ikipakia taarifa kutoka kwa safari hii.
Zaidi ya hayo, ili kufanya iwe halisi zaidi, inawezekana kutumia **wasikilizaji** kuangalia wakati iframe inabadilisha eneo la ukurasa, na kusasisha URL ya kivinjari na maeneo hayo ambayo mtumiaji anadhani anasafiri kwenye kurasa akitumia kivinjari.
Zaidi ya hayo, inawezekana kutumia wasikilizaji kuiba taarifa nyeti, si tu kurasa nyingine ambazo mwathirika anatembelea, bali pia data inayotumika ku **jaza fomu** na kuzipeleka (akili?) au **kuiba hifadhi ya ndani**...
Kwa kweli, vizuizi vikuu ni kwamba **mwathirika akifunga tab au kuweka URL nyingine kwenye kivinjari atakimbia iframe**. Njia nyingine ya kufanya hivi ingekuwa **kufanya upya ukurasa**, hata hivyo, hii inaweza kuzuia kwa sehemu **kwa kuzima menyu ya muktadha ya kubofya kulia kila wakati ukurasa mpya unapopakuliwa ndani ya iframe au kugundua wakati panya ya mtumiaji inatoka kwenye iframe, labda kubofya kitufe cha upya cha kivinjari na katika kesi hii URL ya kivinjari inasasishwa na URL ya asili iliyo hatarini kwa XSS hivyo ikiwa mtumiaji atafanya upya, itakuwa imechafuliwa tena (kumbuka kwamba hii si ya siri sana).
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}