Busting a tough FRAME killer

Gavriel Dorino picture Gavriel Dorino · Feb 19, 2012 · Viewed 10.5k times · Source

I've been trying to break this up for a few hours now but with no success... I am pretty desperate now :(

I am doing penetration testing for a company and I need to bypass this frame killer JS:

<script type="text/javascript">/* <![CDATA[ */
if (top != self) {
    try {
        if (parent != top) {
            throw 1;
        }
        var disallowed = ['XXXXXXX.com'];
        var href = top.location.href.toLowerCase();
        for (var i = 0; i < disallowed.length; i++) {
            if (href.indexOf(disallowed[i]) >= 0) {
                throw 1;
            }
        }
    } catch (e) {
        try {
            window.document.getElementsByTagName('head')[0].innerHTML = '';
        } catch (e) { /* IE */
            var htmlEl = document.getElementsByTagName('html')[0];
            htmlEl.removeChild(document.getElementsByTagName('head')[0]);
            var el = document.createElement('head');
            htmlEl.appendChild(el);
        }
        window.document.body.innerHTML = '<a href="#" onclick="top.location.href=window.location.href" style="text-decoration:none;"><img src="http://www.XXXXXXX.com/img/XXXXXX.gif" style="border:0px;" /><br />Go to XXXXXXX.com</a>';
    }
}

/* ]]> */</script>

Thank you very much!

Answer

Paul Sweatte picture Paul Sweatte · Dec 29, 2012

Use one of the following:

If the body element's node document's browsing context is a nested browsing context, and the browsing context container of that nested browsing context is a frame or iframe element, then the container frame element of the body element is that frame or iframe element. Otherwise, there is no container frame element.

The above requirements imply that a page can change the margins of another page (including one from another origin) using, for example, an iframe. This is potentially a security risk, as it might in some cases allow an attack to contrive a situation in which a page is rendered not as the author intended, possibly for the purposes of phishing or otherwise misleading the user.

References