CSRF in an iframe

Posted on: Fri, 2008-09-26 09:07

dmt

CS Club Webmaster and all-around nice guy

Joined: 2007-10-04

Offline

CSRF in an iframe

Also known as "Clickjacking" or "User-interface redress." You can use an iframe to initiate cross-site request forgery easier. Make an iframe pointing to the target website (like amazon or your bank), use a stylesheet to hide most of it behind your own content so users only see the target link you want them to click on, and design your site so it looks like the link in the iFrame is part of your site. You can add some DOM scripting to change the link's appearance so it doesn't even look like the other site.

This is a bug in the Web, not any particular implementation. We can blame Microsoft because iframes were their idea. More links:

Post new comment

Events

Upcoming events

Spring 2009 - Class Schedule Posted(Event)(1 day)
Thankgiving Potluck(Event)(2 days)
Alice Virtual Challenge - Last day to register(Event)(4 days)
Spring 2009 - Registration(Event)(11 days)
Alice Virtual Challenge - Submission Deadline(Event)(11 days)
CS Colloquium - Student Research Reports (Event)(14 days)
Movie Night(Event)(15 days)
CS Department End Of Semester Celebration(Event)(21 days)

Poll

What is your OS of choice?

Windows (any)

100%

OS X

Linux - RPM-based

Linux - Ubuntu

Linux - Other Debian-based

Linux - Other

FreeBSD / PCBSD

Syllable / AtheOS

Haiku / BeOS

Other Unix-like

TRSDOS

Other (please comment)

Total votes: 1

SSU Computer Science Club

Navigation

User login

Recent blog posts

New forum topics

CSRF in an iframe

Post new comment

Events

Upcoming events

Poll