Refresh

This website www.invicti.com/web-vulnerability-scanner/vulnerabilities/insecure-frame-external/ is currently offline. Cloudflare's Always Online™ shows a snapshot of this web page from the Internet Archive's Wayback Machine. To check for the live version, click Refresh.

CWE-16
ISO27001-A.14.1.2
WASC-15
OWASP 2017-A6

Insecure Frame (External)

Severity:
Low
Summary

Invicti identified an external insecure or misconfigured iframe.

Impact

IFrame sandboxing enables a set of additional restrictions for the content within a frame in order to restrict its potentially malicious code from causing harm to the web page that embeds it.


The Same Origin Policy (SOP) will prevent JavaScript code from one origin from accessing properties and functions - as well as HTTP responses - of different origins. The access is only allowed if the protocol, port and also the domain match exactly.

Here is an example, the URLs below all belong to the same origin as http://site.com :

http://site.com
http://site.com/
http://site.com/my/page.html


Whereas the URLs mentioned below aren't from the same origin as http://site.com :

http://www.site.com (a sub domain)
http://site.org
(different top level domain)
https://site.com
(different protocol)
http://site.com:8080
(different port)

When the sandbox attribute is set, the iframe content is treated as being from a unique origin, even if its hostname, port and protocol match exactly. Additionally, sandboxed content is re-hosted in the browser with the following restrictions:

  • Any kind of plugin, such as ActiveX, Flash, or Silverlight will be disabled for the iframe.
  • Forms are disabled. The hosted content is not allowed to make forms post back to any target.
  • Scripts are disabled. JavaScript is disabled and will not execute.
  • Links to other browsing contexts are disabled. An anchor tag targeting different browser levels will not execute.
  • Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.


When the sandbox attribute is not set or not configured correctly, your application might be at risk.


A compromised website that is loaded in such an insecure iframe might affect the parent web application. These are just a few examples of how such an insecure frame might affect its parent:

  • It might trick the user into supplying a username and password to the site loaded inside the iframe.
  • It might navigate the parent window to a phishing page.
  • It might execute untrusted code.
  • It could show a popup, appearing to come from the parent site.


Sandbox containing a value of :

  • allow-same-origin will not treat it as a unique origin.
  • allow-top-navigation will allow code in the iframe to navigate the parent somewhere else, e.g. by changing parent.location.
  • allow-forms will allow form submissions from inside the iframe.
  • allow-popups will allow popups.
  • allow-scripts will allow malicious script execution however it won't allow to create popups.
Remediation
  • Apply sandboxing in inline frame<iframe sandbox src="framed-page-url"></iframe>
  • For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.
Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.