0

Here is the test page. I have a page with an iFrame that contains another HTML page on my site.

<html> 
    <head> 
        <title>Clickjack test page</title> 
    </head> 
    <body> 
        <p>Website is not vulnerable to clickjacking.</p> 
        <iframe src="../page1" width="500" height="500" id="iframe"></iframe>
    </body> 
</html>

Here is the script I have on page1.html

<script type="text/javascript">
    console.log(window.location != window.parent.location);

    if(window.location != window.parent.location){
       console.log("iFrame Detected");
       window.location.replace("redirectMessage.html");
       window.location.href = "redirectMessage.html";
       console.log("after redirect");
    }

    else {
        // no iframe
    }
</script>

Goal: when I go to ClickJack Test Page, detect an iframe and redirect the page within the iFrame to redirectMessage.html

I am getting iFrame Detected and after redirect in the console

So I know my IF statement is being reached.
But the page within the iFrame is not redirected.

Hille
  • 2,123
  • 22
  • 39
user8507628
  • 99
  • 1
  • 4
  • that is what I am trying to do. but NOTHING is changed, the page within the iframe isnt even being redirected (clarification: what i am trying to do is redirect within the iframe) – user8507628 Jan 02 '18 at 15:05
  • Where is the script loaded - in the iframe or on the page that holds the iframe? Also are you checking if your page is in an iframe as your if stetment seems to be wrong – Pete Jan 02 '18 at 15:10
  • the script is loaded on page1.html, which is the page within the iFrame – user8507628 Jan 02 '18 at 15:18
  • and I thought my If statement WAS checking correctly because i return true in console on my iframe page but not on other pages, am I wrong? thanks – user8507628 Jan 02 '18 at 15:18
  • Ok then your test is wrong (it will also return true if the page has no parent), try this: https://stackoverflow.com/questions/326069/how-to-identify-if-a-webpage-is-being-loaded-inside-an-iframe-or-directly-into-t – Pete Jan 02 '18 at 15:19
  • so I changed the if condition, it returns true, i get the console outputs, still no redirect :( – user8507628 Jan 02 '18 at 15:25
  • Why not just make it so your site cannot be served in iframes if you are worried about clickjacking? But you may need to change the src of the iframe to redirect it - so you would need to do something like `top.getElementById('iframe-id').src = 'redirectMessage.html';` – Pete Jan 02 '18 at 15:29
  • Or just break out of the iframes. `if (top.location.href !== window.location.href) top.location.href = window.location.href;` – Taplar Jan 02 '18 at 15:45

1 Answers1

0

You should not try to figure out whether your page is being loaded inside an iframe since the attacker could simply use the sandbox attribute on the iframe and that would stop your script making your (login) page vulnerable to clickjacking.

Instead the backend of your website should return a X-FRAME-OPTIONS set to DENY in order to block browsers to render your website in iframes.

See here for more details: https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks

Gabe
  • 5,997
  • 5
  • 46
  • 92