Premise

In this video walkthrough, we went through a webpage that is vulnerable to IFrame injection. We are able to modify the page to make it display another page of our choosing. We used bWAPP from OWASP to demonstrate this vulnerability and how to prevent it.

Skills Learned

  • bWAPP
  • Iframe Injection
  • OWASP

What’s an Iframe?

First off, let’s talk about what an iframe is. It’s simply an HTML tag that allows you to display content from another file or even a whole other website within the current webpage. For example, I can use an iframe to embed a robots.txt file directly into the page.

The Vulnerability

The problem starts when the parameters of the iframe, like its source (src), width, and height, are exposed in the URL without any proper checks. This opens the door for an attacker to manipulate these parameters and inject their own content.

How the Attack Works

Here’s how an attacker can exploit this vulnerability:

  1. Changing the Source: An attacker can change the src parameter in the URL to point to their own malicious website instead of the intended file. I’ll show you how I can replace the robots.txt file with a custom URL, making my own website appear within the legitimate page.
  2. Adjusting the View: To make their injected content more convincing, the attacker can also change the width and height parameters to make it bigger and more visible to unsuspecting users.
  3. The Trap: When a user visits the compromised page, they’ll see the attacker’s content. This could be anything from a fake login form designed to steal credentials, an intrusive ad, or even a prompt to download malware.

To demonstrate this, I’ll set up a listener on my machine and then inject my IP address into the iframe’s src parameter. When a user visits the page, a connection is made back to my machine, which could allow me to snatch sensitive data like their cookies.

How to Protect Against It

Now, let’s talk about prevention. Here are a few ways to protect against iframe injection attacks:

  • Use the sandbox attribute: You can add the sandbox attribute to your iframe tag with values like allow-scripts to control what actions are allowed within the iframe. This can prevent malicious scripts from running or the user from being redirected to a malicious site.
  • Check file permissions: Make sure that the handler file (like iframe.php) has the correct permissions. Making it read-only for external access can help prevent unauthorized modifications.
  • Use a secure framework: Modern web frameworks like WordPress have built-in features to prevent these types of attacks by default.

Technical Commands Used

While the video mentions using a Netcat listener, the full command isn’t shown clearly. However, a typical command to set up a listener would look something like this:

  • sudo nc -lvp [port_number]

Video Walk-through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles