Frame Injection Fun

Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same. Here is why:

The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site:**targeturl**=/contact.php

A malicious user with intentions of launching a phishing attack will try tampering the `targeturl` parameter. His goal is to insert a third-party page that is under his control, rather than the original contact page. Indeed, `index.php`, although is not allowing HTML or JavaScript to be assigned to `targeturl`, is happy to process an absolute URL rather than a relative one:**targeturl**=

I thought that showing a live example would help our readers get an idea of what frame injection looks in action. For that purpose, I prepared a rather not elegant proof of concept which takes advantage of the Google Images service. What's neat is that although the legitimate URL would normally use the `` domain, Google also allow us to use other subdomains such as `` which is used by Gmail. This is ideal, as we're trying to accomplish a frame injection attack which can be used to perform phishing attacks against Gmail users.**imgrefurl**=
Frame Injection Fun POC

The previous PoC URL will cause the entered credentials to be submitted to when clicking on Sign in, so please do NOT submit any real credentials!

pIn short:p The attacker has managed to display a non-legitimate third-party page, while the legitimate domain ( in this case) is shown in the address bar.The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTMLi filters or even break into the target server.

Needless to say, in real-life the attacker would most likely automate the process of obtaining the harvested credentials by using a tool such as our x.php data-theft script.