2

I've been trying to break this up for a few hours now but with no success... I am pretty desperate now :(

I am doing penetration testing for a company and I need to bypass this frame killer JS:

<script type="text/javascript">/* <![CDATA[ */
if (top != self) {
    try {
        if (parent != top) {
            throw 1;
        }
        var disallowed = ['XXXXXXX.com'];
        var href = top.location.href.toLowerCase();
        for (var i = 0; i < disallowed.length; i++) {
            if (href.indexOf(disallowed[i]) >= 0) {
                throw 1;
            }
        }
    } catch (e) {
        try {
            window.document.getElementsByTagName('head')[0].innerHTML = '';
        } catch (e) { /* IE */
            var htmlEl = document.getElementsByTagName('html')[0];
            htmlEl.removeChild(document.getElementsByTagName('head')[0]);
            var el = document.createElement('head');
            htmlEl.appendChild(el);
        }
        window.document.body.innerHTML = '<a href="#" onclick="top.location.href=window.location.href" style="text-decoration:none;"><img src="http://www.XXXXXXX.com/img/XXXXXX.gif" style="border:0px;" /><br />Go to XXXXXXX.com</a>';
    }
}

/* ]]> */</script>

Thank you very much!

Pointy
  • 405,095
  • 59
  • 585
  • 614
Gavriel Dorino
  • 31
  • 1
  • 2
  • 4
  • 3
    Bro, you need to indent that code. I cant read that – Roderick Obrist Feb 19 '12 at 13:38
  • Ohh sorry... I thought it will auto indent. I see now that Pointy did it for me. Thank you! – Gavriel Dorino Feb 19 '12 at 13:48
  • 1
    They use a disallowed list and not an allowed list? That doesn't seem very secure. (Do you have permission to be posting this? A penetration test doesn't usually include sharing the code on the net) – Jeanne Boyarsky Mar 04 '12 at 15:06
  • I have changed the code a little and deleted their names. anyway, similar code is published on the internet as a solution for ClickJacking, they just modified it a little. So there is nothing secret here. – Gavriel Dorino Mar 06 '12 at 08:07
  • The [sandbox](http://stackoverflow.com/questions/369498) and [security](http://stackoverflow.com/questions/10717126/) attributes can prevent this. – Paul Sweatte Dec 29 '12 at 01:26

1 Answers1

1

Use one of the following:

If the body element's node document's browsing context is a nested browsing context, and the browsing context container of that nested browsing context is a frame or iframe element, then the container frame element of the body element is that frame or iframe element. Otherwise, there is no container frame element.

The above requirements imply that a page can change the margins of another page (including one from another origin) using, for example, an iframe. This is potentially a security risk, as it might in some cases allow an attack to contrive a situation in which a page is rendered not as the author intended, possibly for the purposes of phishing or otherwise misleading the user.

References

Community
  • 1
  • 1
Paul Sweatte
  • 24,148
  • 7
  • 127
  • 265
  • Of the above X-Frame-Options is well accepted as a defense against Clickjacking attempts. Please check the limitation on this option at https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. Almost all current versions of the Browsers support this option. This is your best option. – R V Marti Feb 09 '14 at 06:54