2

I need to bypass or bust a frame buster, but I don't have a server that returns 204. The best solution that works (partially so far) is the one in https://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf on page 4 section C, onBeforeUnload – 204 Flushing.

It is discussed here (Frame buster buster) and here (Frame Buster Buster ... buster code needed) and the code is reproduced below

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://example.org/page-which-responds-with-204'  
      }  
    }, 1)  
</script>

My problem is, I don't have a server that returns an HTTP status code 204 (and I cannot set one up). How do I get around this?

max_max_mir
  • 1,494
  • 3
  • 20
  • 36
  • 4
    Politely ask the owner of the site in question to allow you to display their website in an ` – Obsidian Age Feb 05 '18 at 01:53
  • It may help to understand about frame busting restrictions https://owasp.org/www-pdf-archive//OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf – Steven Oct 30 '21 at 17:31
  • This document was fairly informative https://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf – Steven Oct 30 '21 at 17:33

1 Answers1

1

Since you can't set up your own server, you don't have many options aside from using a third party server. The obvious downside is that it's not under your control, so you can't control its availability.

A server whose purpose is to return various HTTP status codes will potentially be more reliable (as opposed to finding something random). You could use httpstat.us. The main page lists all the status codes and options it supports. The following will return HTTP 204: httpstat.us/204.

Rob Cutmore
  • 447
  • 1
  • 4
  • 8