Frame Source Injection

Overview Frame Source Injection may occcur when the src attribute of a frame or iframe is determined by a parameter sent by the client. In this case the client can send an unintended URI which may be displayed in the frame. Video Tutorials Discovery Methodology Inject canaries into each available parameter and cookie. Observe if any canary is found in the src attribute of a frame. Exploitation Inject a URI into the parameter found. Prefix and/or suffix the injections to generate correct syntax. For example, inject http://google.com into the SRC attribute of a frame element, then check if Google home page is displayed in the frame. Videos What is Content Security Policy? - Part 1 What is Content Security Policy? - Part 2 What is Content Security Policy? - Part 3 What is Content Security Policy? - Part 4 What is Content Security Policy? - Part 5 Content Security Policy: Script Source (script-src) Content Security Policy: Frame Ancestors How to Set HTTP Headers Using Apache Server Check HTTP Headers with cURL