Busting a tough FRAME killer
I've been trying to break this up for a few hours now but with no success... I am pretty desperate now :(
I am doing penetration testing for a company and I need to bypass this frame killer JS:
<script type="text/javascript">/* <![CDATA[ */
if (top != self) {
try {
if (parent != top) {
throw 1;
}
var disallowed = ['XXXXXXX.com'];
var href = top.location.href.toLowerCase();
for (var i = 0; i < disallowed.length; i++) {
if (href.indexOf(disallowed[i]) >= 0) {
throw 1;
}
}
} catch (e) {
try {
window.document.getElementsByTagName('head')[0].innerHTML = '';
} catch (e) { /* IE */
var htmlEl = document.getElementsByTagName('html')[0];
htmlEl.removeChild(document.getElementsByTagName('head')[0]);
var el = document.createElement('head');
htmlEl.appendChild(el);
}
window.document.body.innerHTML = '<a href="#" onclick="top.location.href=window.location.href" style="text-decoration:none;"><img src="http://www.XXXXXXX.com/img/XXXXXX.gif" style="border:0px;" /><br />Go to XXXXXXX.com</a>';
}
}
/* ]]> */</script>
Thank you very much!
Answer
Use one of the following:
- IP Address instead of domain name to bypass the disallowed list
- X-Frame-Options
- HTML5 sandbox
If the body element's node document's browsing context is a nested browsing context, and the browsing context container of that nested browsing context is a frame or iframe element, then the container frame element of the body element is that frame or iframe element. Otherwise, there is no container frame element.
The above requirements imply that a page can change the margins of another page (including one from another origin) using, for example, an iframe. This is potentially a security risk, as it might in some cases allow an attack to contrive a situation in which a page is rendered not as the author intended, possibly for the purposes of phishing or otherwise misleading the user.
References