Detail

Insecure Frame (External)

Severity: Low

Summary

Netsparker identified an external insecure or misconfigured iframe.

Impact

IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.

Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and also the same domain.
           
URLs from the same origin:
            
http://site.com
http://site.com/
http://site.com/my/page.html
        
URLs not from the same origin:
            
http://www.site.com  (sub domain)
http://site.org      (different domain)
https://site.com     (different protocol)
http://site.com:8080 (different port)

When the sandbox attribute is set, the iframe content is treated as being from a unique origin and sandboxed content is re-hosted in the browser with the following restrictions:

  • Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be executed.
  • Forms are disabled. The hosted content is not allowed to make forms post back to any target.
  • Scripts are disabled. JavaScript is disabled and will not execute.
  • Links to other browsing contexts are disabled. An anchor tag targeting different browser levels will not execute.
  • Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.

When not set or misconfigured sandbox or seamless attribute of an iframe for an untrusted URL:

  • Compromised website in the iframe might affect the users in parent web application.
  • Sandbox containing a value of :
    • allow-same-origin will not force the unique origin for iframe contents.
    • allow-top-navigation will allow iframe to navigate parent context, e.g. change parent.location.
    • allow-forms will allow forms submissions from inside iframe.
    • allow-popups will allow popups.
    • allow-scripts will allow malicious script execution however still disallow to create popups.
  • If seamless attribute is set, links within the iframe will navigate the parent frame.
Remediation
  • Apply sandboxing in inline frame
    <iframe sandbox src="framed-page-url"></iframe>
  • For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO

NETSPARKER

WEB SECURITY

COMPANY

Netsparker Ltd

  • United Kingdom, (reg. no. 06947644)
  • USA Office: +1 415 877 4450
  • UK Office: +44 (0)20 3588 3840
  • contact@netsparker.com
Copyright © 2018 Netsparker Ltd. All rights reserved. | Privacy Policy