DOM based XSS with iframe object and javascript url scheme
by littlelailo
Quick Demo
For a quick demo, klick here
To the victimsite
How it works
- Create an iframe and add it to the DOM
- Navigate to the site, where you want to run a script by changing the src attribute
- Wait until the site is loaded
- Change the src attribut to javascript: + your script. E.g. javascript:alert(document.title)
Why it sometimes won't work/What can website hoster do against it?
- Your internet is to slow (because the src attribute changes after 1 second)
- The website which get loaded into the iframe has an active frame buster
- The x-frame-options header is set to e.g. SAMEORIGIN
Which browsers are vulnerable
| Browser (OS) |
works |
| Chrome |
no |
| Opera |
no |
| Safari |
yes |
| Edge |
yes |
| Firefox |
yes |