Skip to content

Instantly share code, notes, and snippets.

@matthewpizza

matthewpizza/guidelines_for_iframe_busters.md

Last active August 29, 2015 13:56
Show Gist options
  • Save matthewpizza/3dcf48ffc2cb84b2ed52 to your computer and use it in GitHub Desktop.
Save matthewpizza/3dcf48ffc2cb84b2ed52 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
guidelines_for_iframe_busters.md

Guidelines for iFrame Busters

The following are common XSS vulnerabilities found in iFrame busters.

  1. Unescaped URL parameter values
  2. Parameters that accept any domain

Unescaped URL parameter values

Special characters should be removed or converted into their equivalent HTML/hex entity. The characters in the following table can be used to write malicious code on the page.

example.com/iframebuster.html?parameter="></script><script>alert('XSS')</script>

Character HTML Entity
& &amp;
< &lt;
> &gt;
" &quot;
' &#x27;
/ &#x2F;

Parameters that accept any domain

When passing a domain as a parameter to write a script tag onto the page, it should be restricted to an approved domain(s).

example.com/iframebuster.html?server=evildomain.com

Examples of Safe iFrame Busters

XSS Attack Prevention Guidelines

Further guidelines can be found at ha.ckers.org/xss.html, which covers the above rules as well as many others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment