Saturday, October 11, 2008

Frame Injection Fun

Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same.

Here is why:

  • There is no need to inject special control characters such as angle brackets (unlike HTMLi/XSS)
  • HTMLi/XSS filtering routines will not project against frame injection since the attacker only needs to insert a URL in the non-sanitized parameter

The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site:


No comments: