Questions tagged [cross-frame-scripting]
An attack where the attacker exploits bugs in the SOP of the browser to steal data from a frame with a different origin.
13
questions
2
votes
0
answers
102
views
Auth Token not included in CORS exploit [closed]
I have found a CORS on a website but when I am trying to exploit it for a POC it is fetching all the cookies except auth cookies and due to that I am getting an error message to "User not logged ...
11
votes
2
answers
7k
views
Is "Math.random" the same as "crypto.getRandomValues" (JavaScript security)
This question may be a little off-topic, but is Math.random the same as crypto.getRandomValues? (JavaScript)
Here's an example:
Math.random(); // 0.11918419514323941
self.crypto.getRandomValues(new ...
- 289
4
votes
1
answer
1k
views
How to create a secure embeddable HTML form?
I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal's payment iframe or Plaid's Link....
- 143
2
votes
1
answer
2k
views
Is it okay to only provide clickjacking protection on the login page?
I have a question about Clickjacking.
The question is quite simple. Imagine a login flow like this:
You visit the application login page, eg https://example.com/login.html. There is no Clickjacking ...
3
votes
1
answer
1k
views
Can a javascript on parent page log keystrokes inside an iframe?
I am trying to analyze the possibility of accessing keystrokes from an iframe using a javascript running on the parent page. The potential attack which I am looking to verify is Cross Frame Scripting.
...
- 3,941
0
votes
1
answer
182
views
How does one exploit cross scripting?
In my computer science class, my professor provided the following example...
Normally, a user would provide a link by typing the following in chatroom...
[Example Website](https://example.com)
And ...
- 153
1
vote
1
answer
995
views
Loading a logged in page in an iframe
Suppose www.youtube.com have no X-Frame-Options set.
Imagine I'm already logged in to YouTube. Now from another web page in the same browser I'm loading YouTube in an iframe, will the browser send ...
- 181
1
vote
1
answer
391
views
Can malicious sites use session data from iframes?
Let's say I have logged in to my site Genuine Site. Malicious Site has an iframe embedding Genuine Site. Will the embedded iframe in the Malicious site have access to my login credentials from Genuine ...
- 227
3
votes
1
answer
2k
views
X-Frame-Options Absent but cant load the page in iframe
I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent.
Observation:
When I write an HTML with iframe tag pointing to the URL and save ...
- 1,831
6
votes
3
answers
11k
views
How to avoid the cross-frame scripting attack over core php we application
I have developed one web application that is in core-php as per the client's requirement. My client conducted a vulnerability test, and found a Cross-Frame Scripting as a vulnerability at hard level.
...
- 161
4
votes
2
answers
2k
views
Are these four HTTP headers protection against Cross-Frame Scripting enough?
I would like to ask a question what is the best protection against Cross-Frame Scripting.
I have set up my web server to adding these flags into HTTP HEADER:
X-Same-Domain: 1
X-Content-Type-Options: ...
- 41
-1
votes
1
answer
1k
views
How do configure Apache to resolve 'Missing Cross-Frame Scripting Defence' by app scan [closed]
There is an apache server hosting some website written in PHP and is accessible thru internet. How do configure the apache to resolve 'Missing Cross-Frame Scripting Defence' and can 'Missing Cross-...
- 107
3
votes
2
answers
6k
views
Are these both cross frame scripting attacks?
I've received a recent security review of a website which mentioned it had a cross frame scripting vulnerability. In short, it mentioned that a malicious site could load the page up in an iframe, ...
- 991