Framing without iframes

Gareth Heyes

Researcher

@garethheyes

• Published: 27 July 2022 at 14:57 UTC

• Updated: 27 July 2022 at 14:57 UTC

Whilst testing for XSS vectors, we found some new ways of framing a web site that don't use the iframe element. Naturally, we've updated our XSS cheat sheet to document them. We discovered that Chrome allows you to use param tags to change the URL of an object tag much like an iframe:

In addition Chrome & webkit allow you to use the "code" attribute in an embed tag to reference an external URL:

We tried exploiting these features for XSS but unfortunately JavaScript URLs don't work and although URLs with a data: protocol work they all execute from a null origin making them useless for XSS. Still, new ways of framing are always useful to chain other attacks or maybe even bypass CSP.

Firefox and tabindex

In other XSS news it was reported to us that Firefox now exhibits the same behaviour as Chrome when it comes to the tabindex attributes. This makes events such as onfocus fire automatically on Firefox, when previously they didn't. Hurray for attack surface expansion! The cheat sheet has now been updated to reflect this change.

Search interface

Finally, we had a request for a search interface for the XSS cheat sheet, this would make it easier to find vectors when a WAF is filtering certain attributes or tags. So we've added one that allows you to search tags, events, and the code, using regular expressions.

Back to all articles