Module: iFrame Sniffer

Summary

Objective: Sniff data from other origins via iframes
Authors: Bart Leppens
Browsers: Safari, IE
Code

Internal Working

By using anchors (#) to request cross origin resources in an iframe, it can leak information based on the presence and absense of elements.

Content can't be directly read with this technique, but data can be inferred from web applications.

      if (typeof LeakyFrame === 'function') {
          new LeakyFrame(inputURL,
            function(frame){
              //check each anchor
              for (var anchor = 0; anchor < arrayOfAnchorsToCheck.length; anchor++){
                if (frame.checkID(arrayOfAnchorsToCheck[anchor])){
                  resultList.push('Exists');
                }
                else{
                  resultList.push('Does not exist');
                }
              }
              frame.remove();

References

https://www.contextis.com/en/blog/framesniffing-against-sharepoint-and-linkedin

(old link, maybe check it on archive.org): http://www.contextis.co.uk/research/blog/framesniffing/

Feedback

User Guide

I. Introduction | II. Basic Utilization | III. Advanced Utilization | IV. Development | V. References

Module: iFrame Sniffer

Summary

Internal Working

References

Feedback

User Guide

Community

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!