Using Random Names Against Browser Frame Injection Vulnerability

As you can experience though this Secunia Multiple Browsers Frame Injection Vulnerability test page and recently reintroduced into Firefox,  other websites can easily inject their own page into a frame from another website. How does it work? Just set the link target to the name of the victim's frame.

One possible quick protection against frame injection uses random frame names. If the name is random, they can't target the frame. For dynamic content pages, random frame name can be saved as a session attribute and injected on the fly into outgoing pages. For static content pages, javascript code can be used along with a session cookie to set frame contents from the client-side.

Note that older unpatched version of browsers that allows cross-domain script access to frame names are still vulnerable. I've checked that IE6 SP2 and Firefox 1.0.4 do not. Not sure about others though.

Caveat: I whipped this up after only a brief study of the vulnerability today so beware that it is offered only as-is.

Advertisements