6

Exploiting the DVWA's stored XSS option, I'm using the following payload: <iframe src="url">.

I'd like to know why do some sites work but others don't when using this payload.

For example: <iframe src="http://usatoday.com">works, however <iframe src="http://google.com">does not work (it shows an empty box). This site doesn't work either.

NULLZ
  • 11,426
  • 17
  • 77
  • 111
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • There are many ways to protect you from being framed. I doubt that google uses only one of them.... https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet – inf3rno Aug 11 '18 at 03:32

2 Answers2

10

Websites commonly use iframe breakers written in JavaScript or the X-Frame-Options header to prevent being iframed.

In the case of google.com, the latter is the case:

fabian ~% curl -I www.google.com | grep Frame
X-Frame-Options: SAMEORIGIN
copy
  • 1,939
  • 1
  • 16
  • 13
7

This can be controlled with the following HTTP header:

Header set X-Frame-Options

It has the following options:

  • DENY: Stops all framing
  • SAMEORIGIN: Stops framing except for the same website that delivered the page itself. (Allowing http://www.example.com/ to frame pages served from http://www.example.com/ with X-Frame-Options set to this value)

If we look at google:

root@bt:~# telnet google.com 80
Trying 173.194.34.192...
Connected to google.com.
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.1 302 Found
Location: http://www.google.es/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=33213a21c9470cd8:FF=0:TM=1372280788:LM=1372280788:S=uhe-vKiypMTkoLNP; expires=Fri, 26-Jun-2015 21:06:28 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=pl37RO9ptszDuKjsU8ysb4W3bkos7KK0u28rPbWdM-hJsNo_gS_XFd1dtWSHM7zAeDjITumqHWIw6P836EqfGSZk51m7nioFM6SrQHZzVVEHgDjXL1CpTmGRrdjP4d_L; expires=Thu, 26-Dec-2013 21:06:28 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Wed, 26 Jun 2013 21:06:28 GMT
Server: gws
Content-Length: 218
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN   <----

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.es/">here</A>.
</BODY></HTML>

We can see that they have set the X-Frame-Options have been set to SAMEORIGIN. This is preventing you from iFraming the website.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Yup, correct. Here you can find some more examples and explanation: https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks – Gabe Jun 16 '18 at 06:20