Summary #

Invicti identified a misconfigured sandbox attribute in an iframe.

Impact #

IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.

Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and the same domain.
URLs from the same origin:

URLs not from the same origin:  (sub domain)      (different domain)     (different protocol) (different port)

When the sandbox attribute is set, the iframe content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts and plugins are disabled.

When misconfigured sandbox attribute of an iframe on the same origin:

  • Compromised website in the iframe might affect the users in parent web application.
  • With a sandbox attribute containing both the allow-same-origin and allow-scripts flags, framed page can reach up into the parent and remove the sandbox attribute entirely.
Remediation #
  • Avoid the usage of allow-same-origin and allow-scripts at the same time.
Classifications #
CWE-16; ISO27001-A.14.1.2; WASC-15; OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo