Author Topic: Iframe is not the source, still we name it Iframe exploit.............  (Read 2498 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33973
  • malware fighter
Hi malware fighters,

There is quite some misunderstanding about Iframe exploits. IFrame exploits? No, the term is wrong actualy. It seems there has been some phenomenon of referring to exploits that load through inline frame (IFrame) tags as “IFrame exploits.” It seems that a lot of people seem to think that IFrames are evil and that they are at the actual root of this exploit, the cause of it so to say. This isn’t really true though. Recently a number of websites have been compromised and have had IFrame tags added to their source that are invisible (height/width is usually set to 0 or 1). These invisible tags then generally pull in exploit code from another website that attempts to take advantage of an not fully patched system. We could say that the IFrame is accomplice in the page source, but it certainly is not the exploit itself.

Unfortunately you might not be able to protect yourself by just browsing to “trusted” websites. Recently a number of well known legitimate websites have been hacked only to have their source modified to turn them into malware/exploit gateways. The best thing you can do to protect yourself is keep your OS and software fully patched, try not to browse the web as an administrator/root user, and don’t surf too many sites housing questionable content. Use the NoScript add-on for Firefox and use DrWeb's hyperlink av-scanner before clicking a hyper link you do not fully trust.

Frame breaker

They are very old school but can be very effective in protecting against iframe attacks.
Code: [Select]
if (top != self) {
  top.location.href = 'http://yoururl/';
}
or the next script to break out of frames, but do not place this in your own web site's frames..
because it breaks out of everything....
Code: [Select]
<script type="text/javascript>
<!--
if(top.frames.length > 0)
top.location.href=self.location;
//-->
</script>
polonus
« Last Edit: November 12, 2007, 12:32:19 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: Iframe is not the source, still we name it Iframe exploit.............
« Reply #1 on: November 12, 2007, 12:33:33 AM »
Yes it is very old school but was designed to stop someone linking to a page within a site that uses the frameset (frames).

The problem is the iFrame tag doesn't have to be within a frameset, it can be anywhere in a normal html page, so I'm not sure how this would have any effect at all.

If you remember the attack on the forum which was an injection of an iFrame into the php page that did exactly as you described.

So the top page would still be itself, the iframe is an element within that page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33973
  • malware fighter
Re: Iframe is not the source, still we name it Iframe exploit.............
« Reply #2 on: November 12, 2007, 12:37:40 AM »
Hi DavidR,

I hope that Giorgio Maone can be inspired to come up with some generic code against this kind of exploits inside NoScript. Because this read is frightening to me:
http://badmalweb.blogspot.com/2007/09/iframe-injection-source.html

polonus
« Last Edit: November 12, 2007, 12:42:58 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: Iframe is not the source, still we name it Iframe exploit.............
« Reply #3 on: November 12, 2007, 02:28:17 AM »
Well what seemed to combat it is hosting/forum software, etc. not being vulnerable to the iFrame injection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security