So I can have a frame load up amazon.com and check if they're on the page where they put in the credit card information and do the following: a. read the information from the fields directly (would have check it every few seconds and submit to the home server through ajax or something) b. change the action in the form to have the form submit to my site, and then use my site to redirect back to amazon's action page (basically stealing the cc info, with the user not even knowing).
I know I might get some warnings about security with b, since their site is on a secure server, and my action url is not. But the whole point is, is it possible? This really worries me that anybody can just do attacks like this to any site that doesn't have the 'bust out of frames' code in there. I know it's not technically XSS, but I'm not sure what else to call it. I just haven't though of this issue before and never heard it mentioned, so I wasn't sure if it's possible. But if you are saying it is possible, then we're opening a whole can of worms here. Russ > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 18, 2006 4:16 PM > To: CF-Talk > Subject: RE: XSS through frames? > > > I was wondering, if it's possible to do XSS attacks through > > frames? Say can one frame of a page access and modify stuff > > on the other frame? Can the frameset document? > > Yes, and yes. However, being able to have JavaScript in one frame > manipulate > the contents of another frame is not, by itself, an XSS attack. Typically, > for an XSS attack to be successful, you'd have to trick a server-side > script > into accepting executable JavaScript within an input, and placing that > JavaScript within a page viewed by someone else. If my browser contains a > frameset, there's no attack using both frames that wouldn't work just as > well with just one frame or the other. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229933 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
