Frame feedback
I am trying to do PoC for a Cross Frame Scripting attack ( https://www.owasp.org/index.php/Cross_Frame_Scripting ) to show in my work how dangerous this attack can be for any version of IE browser. This attack can be easily prevented by using the header X-FRAME-OPTIONS: deny
in IE8 or later. But it would be nice if every developer included such a header in all web server responses. Using the code below, I see an alert box with a key code, but in the case of forms on the landing page, I cannot see the letter of the key pressed inside the form.
<script>
window.onkeydown = function() {
alert(window.event.keyCode);
}
</script>
<frameset onload="this.focus()" onblur="this.focus()">
<frame src="http://www.uol.com.br">
</frameset>
Using the simple code below, I can press a key and see both (the alert box and the letter inside the form).
<script>
window.onkeydown = function() {
alert(window.event.keyCode);
}
</script>
<input>
Is there something in the first block of code? Thank!
source to share
There is probably nothing wrong with the code. Cross Frame Scripting is not a real vulnerability - it is only a vulnerability in older versions of Internet Explorer that contains a bug where the event is onkeypress
fired inside the parent frame even though the domains do not match, where it would normally be protected by the Same Origin Policy .
Other Cross Frame Scripting attacks are simply Cross-Site Scripting with a different name because they involve frames.
source to share