![]() ![]() ![]() In 1999, security researcher Georgi Guninski published his research on the dangers of frame navigation. In the mid 1990s, a web page could redirect any frame to a different web address at any given time. This can be achieved quite simply by adding a target attribute to anchor elements and forms, or by specifying the window name in which the URL will be loaded as a second parameter in JavaScript’s window.open method. Imagine two neighboring frames in a web page designed as an ebook reader, where one frame is used to view the table of contents for the book, while the links clicked in that content will launch in the other frame. Quite often, an action in one frame – clicking a link, for example – would directly affect a neighboring frame. However, the introduction of frames to HTML changed this, making it necessary to handle multiple windows on the same web page. Hasan is a Security consultant at Securemisr, a former Netsparker employee and a bug bounty participant.īefore the invention of frames, you could be certain of encountering only a single window object on any given website. ![]() We’ll also outline a method for preventing this vulnerability. In this blog post, we explore one of these aspects, inspired by security analyst Mustafa Hasan’s research. But malicious hackers are also attracted to this vulnerability, because there are aspects of the Frame Injection attack that can allow hackers to redirect users to other malicious websites used for phishing and similar attacks. Cross-site Scripting is naturally prioritized by bug bounty hunters since it seems easily exploitable and effective. A Frame Injection is a type of Code Injection vulnerability classified by OWASP in its A1 Injection category. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |