Description: As we all know that the iFrame and Script are the HTML tags. But Now a days hackers are using iFrame and its internal attributes like Height Width and Frameborder more. Typically iFrame allows a developer to embed the content of one page to the another page. Calling one page's content to other page and showing there. Means A developer can call multiple page's content to show all in one page.
But the cyber criminals has found the exploit this functionality in order to run their malicious code to the client side.Hackers are using more iFrames as well as the Script command to execute javascripts as well as other malicious scripts to the client side through their websites. This type of attack is also called as Drive-By Attack. This type of attack is allowing hackers to run their code invisibly as well as silently.
Know More about iFrame for HTML5 - http://www.w3schools.com/html5/tag_iframe.asp
Tags: iframe , iframe injection , remote code execution , drive by attack , iFrame malicious attack , iFrame tutorial ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
hi handsome devil,
if the hacker can change the code of the index file to include iframe to include some other page which runs a script, why dont he (hacker) directly call the script in the index page itself, that will at least save a little bit of time for him .
And that will also be easy for him, i guess, secondly he can try putting the script tag on pages where there are weaknesses in security for user comments, which you also call XSS ...... :)
Anyways nice try but can be better ......
hacker is nt hacking the code of index file..he is creating a website and a webpage which is having an iFrame...and submitting to the client side...
And thank you for your comments i really appreciate..and i assure i will try my best next time.. :) thank you once again.
my point is , if the website is say http://www.securitytube.net, then i or you will not be able to insert the iframe from the method you explained above , right? For that we will need to get the code, and hence if we can change the code, why would some1 will include an iframe to include a page and then run a script in that page, rather he will choose to run script directly to the index page.
So in that way , its not at all iframe injection.
i think u r nt understanding it..i m telling this is nt to hack the website.. if securitytube is there then we are nt hacking into that..
we are creating a website securitytube.net in that we will keep iframe so if users comes..code will be executed his or her computer..though if u dnt get understand...i m sorry dude..cant explain...