How can I disable someone from loading a page in an iframe and using javascript to submit?

https://stackoverflow.com/questions/22265326

html
JavaScript
iframe
exploit

11-06-2023
|

Frage

Title says it all.

Imagine this:

<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe style="display:none" name="xxx"></iframe>
<form method='POST' action='http://MYPAGE.com/account/' target="xxx" id="xxx">
  <input type='hidden' name='xxxxxxx' value='yyyyyyyy'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("xxx").submit()</script>
</body>

How can I disable an attack like that?

Lösung

Use the X-Frame-Options and set it to DENY or SAMEORIGIN. DENY will completely deny anybody from framing the page in an iframe and SAMEORIGIN will only allow the same origin to display the page in an iframe. See https://coderwall.com/p/kdv1hw for more information.

Lizenziert unter: CC-BY-SA mit Zuschreibung

Nicht verbunden mit StackOverflow