Filed under: Phishing, Privacy, Security News, XSS
posted by D1m on 28 Mar 2007 03:59 am
Cross-Site Framed?
Have you heard of cross-site framing? The past few days I saw listed on our archive, several websites vulnerable to cross-site framing – listed as frame redirection. I will briefly describe a possible exploitation scenario, concluding with more emphasis on the negative impact that this type of vulnerability can have to the privacy of innocent individuals who are users of the affected websites.
Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:
inurl:frame filetype:asp inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php inurl:”url=”
inurl:frame filetype:cfm inurl:”url=”
inurl:iframe filetype:asp inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php inurl:”url=”
inurl:iframe filetype:cfm inurl:”url=”
allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm
allinurl:frame.php?url=http
allinurl:frame.asp?url=http
Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.
It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.
Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):
Gov.MT with Frame Redirect and XSS
The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.
The above news were written in order to heighten the awareness of potential privacy threats to users of the web.
You can also access this blog post from XSSed.com – a project I run with Kevin Fernandez.
Here is the link: