Skip to main content

Questions tagged [cross-frame-scripting]

An attack where the attacker exploits bugs in the SOP of the browser to steal data from a frame with a different origin.

1 vote
0 answers
127 views

HTTP headers needed for cross-origin communication with postMessage()/onmessage

I'm experimenting with Direct Sockets TCPServerSocket, TCPSocket, and UDPSocket in an Isolated Web App (IWA) on Chromium browser. The maintainers are trying to uphold the claim that a window can ...
guest271314's user avatar
2 votes
0 answers
127 views

Auth Token not included in CORS exploit [closed]

I have found a CORS on a website but when I am trying to exploit it for a POC it is fetching all the cookies except auth cookies and due to that I am getting an error message to "User not logged ...
Abhinav Kumar's user avatar
12 votes
2 answers
9k views

Is "Math.random" the same as "crypto.getRandomValues" (JavaScript security)

This question may be a little off-topic, but is Math.random the same as crypto.getRandomValues? (JavaScript) Here's an example: Math.random(); // 0.11918419514323941 self.crypto.getRandomValues(new ...
Parking Master's user avatar
4 votes
1 answer
1k views

How to create a secure embeddable HTML form?

I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal's payment iframe or Plaid's Link....
Luciano's user avatar
  • 143
2 votes
1 answer
2k views

Is it okay to only provide clickjacking protection on the login page?

I have a question about Clickjacking. The question is quite simple. Imagine a login flow like this: You visit the application login page, eg https://example.com/login.html. There is no Clickjacking ...
Bhuvanesh Kumar's user avatar
3 votes
1 answer
2k views

Can a javascript on parent page log keystrokes inside an iframe?

I am trying to analyze the possibility of accessing keystrokes from an iframe using a javascript running on the parent page. The potential attack which I am looking to verify is Cross Frame Scripting. ...
hax's user avatar
  • 3,951
0 votes
1 answer
203 views

How does one exploit cross scripting?

In my computer science class, my professor provided the following example... Normally, a user would provide a link by typing the following in chatroom... [Example Website](https://example.com) And ...
TrevorKS's user avatar
  • 153
1 vote
1 answer
1k views

Loading a logged in page in an iframe

Suppose www.youtube.com have no X-Frame-Options set. Imagine I'm already logged in to YouTube. Now from another web page in the same browser I'm loading YouTube in an iframe, will the browser send ...
nkg's user avatar
  • 191
1 vote
1 answer
438 views

Can malicious sites use session data from iframes?

Let's say I have logged in to my site Genuine Site. Malicious Site has an iframe embedding Genuine Site. Will the embedded iframe in the Malicious site have access to my login credentials from Genuine ...
Souradeep Nanda's user avatar
3 votes
1 answer
2k views

X-Frame-Options Absent but cant load the page in iframe

I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent. Observation: When I write an HTML with iframe tag pointing to the URL and save ...
one's user avatar
  • 1,841
6 votes
3 answers
11k views

How to avoid the cross-frame scripting attack over core php we application

I have developed one web application that is in core-php as per the client's requirement. My client conducted a vulnerability test, and found a Cross-Frame Scripting as a vulnerability at hard level. ...
Shaggie's user avatar
  • 161
4 votes
2 answers
2k views

Are these four HTTP headers protection against Cross-Frame Scripting enough?

I would like to ask a question what is the best protection against Cross-Frame Scripting. I have set up my web server to adding these flags into HTTP HEADER: X-Same-Domain: 1 X-Content-Type-Options: ...
Jamie's user avatar
  • 41
-1 votes
1 answer
1k views

How do configure Apache to resolve 'Missing Cross-Frame Scripting Defence' by app scan [closed]

There is an apache server hosting some website written in PHP and is accessible thru internet. How do configure the apache to resolve 'Missing Cross-Frame Scripting Defence' and can 'Missing Cross-...
user275517's user avatar
3 votes
2 answers
6k views

Are these both cross frame scripting attacks?

I've received a recent security review of a website which mentioned it had a cross frame scripting vulnerability. In short, it mentioned that a malicious site could load the page up in an iframe, ...
Lawtonfogle's user avatar
  • 1,001