Iframe attacks seem to be taking a hold with many vulnerable websites. The problem obviously being vulnerable ap plications, which we would all like to see fixed. However, not everyone can be so lucky as to have either perfect applications, or perfect countermeasures against these vulnerabilities. Enter output filtering. We’ve put together a special set of rules for anyone running apache. This will filter out all your iframe attacks.

More info about Iframes;

IFrame (from Inline Frame) is an HTML element which makes it possible to embed an HTML document inside another HTML document.

The size of the IFrame can be specified in the surrounding HTML page, so that the surrounding page can already be presented in the browser while the IFrame is still being loaded. The IFrame behaves much like an inline image and the user can scroll it out of view. On the other hand, the IFrame can contain its own scroll bar, independent of the surrounding page’s scroll bar.

While regular frames are typically used to logically subdivide the content of one website, IFrames are more commonly used to insert content (for instance an advertisement) from another website into the current page.

The following is an example of an HTML document containing an IFrame:

================================================ ====
<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
The material below comes from the website IANA &mdash; Example domains
<iframe src=”http://example.com” height=”200″>
Alternative text for browsers that do not understand IFrames.
================================================ ====

The embedded document can be changed without reloading the surrounding page, by using the “target” attribute of an HTML anchor or by employing JavaScript. This makes many interactive applications possible, and IFrames are therefore commonly used by Ajax applications. The main alternative to using an IFrame in these situations is editing a document’s DOM tree. Sometimes invisible IFrames are also used for asynchronous communication with the server, as an alternative to XMLHTTPRequest.

More recently, Mozilla Firefox, Opera and Microsoft Internet Explorer introduced contentEditable and designMode, which enables users to edit the contents of the HTML contained in an IFrame. This feature has been used to develop rich text (WYSIWYG) editors within an IFrame element like FCKeditor or TinyMCE. Popular web applications which make use of this feature include Google Docs & Spreadsheets (formerly Writely), JotSpot Live, and Windows Live Hotmail, to name a few.

First introduced by Microsoft Internet Explorer in 1997 and long only available in that browser, iframes eventually became supported by all major brands.

Security Issues

IFrames have been implicated in many malicious code attacks, due to a series of common vulnerabilities. This was evident in many 2007 web based threats, notably the so-called Italian Job of June, 2007.[1] An IFrame can be planted on an unsuspecting legitimate website, leading the casual viewer into an infection threat. This may happen when a site is cracked, or more easily, when a site forwards results of local searches to global search engines. On such a site, the cracker only needs to perform a search that includes a malicious IFrame; a user who clicks the search result in the global search engine will be infected.