Framing without iframes | PortSwigger Research

by Prapattimynk, Thursday, 7 September 2023 (9 months ago)
Framing without iframes | PortSwigger Research

Illustration of UI windows showing the code in the article

Whilst testing for XSS vectors, we found some new ways of framing a web site that don’t use the iframe element. Naturally, we’ve updated our XSS cheat sheet to document them. We discovered that Chrome allows you to use param tags to change the URL of an object tag much like an iframe:

In addition Chrome & webkit allow you to use the “code” attribute in an embed tag to reference an external URL:

We tried exploiting these features for XSS but unfortunately JavaScript URLs don’t work and although URLs with a data: protocol work they all execute from a null origin making them useless for XSS. Still, new ways of framing are always useful to chain other attacks or maybe even bypass CSP.

Firefox and tabindex

In other XSS news it was reported to us that Firefox now exhibits the same behaviour as Chrome when it comes to the tabindex attributes. This makes events such as onfocus fire automatically on Firefox, when previously they didn’t. Hurray for attack surface expansion! The cheat sheet has now been updated to reflect this change.

Search interface

Finally, we had a request for a search interface for the XSS cheat sheet, this would make it easier to find vectors when a WAF is filtering certain attributes or tags. So we’ve added one that allows you to search tags, events, and the code, using regular expressions.

Back to all articles


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.