I was wondering if there is any method of checking if a site will bust out of an iframe before my app puts it in an iframe.
Alternatively maybe someone knows of a database api that has this info.
Currently I'm using a beforeunload event to prevent a site from taking over the page the user is currently on.
Related
There is one thing I don't understand about the UI Redressing attack. Basically what I understand is:
1- The user clicks on a external URL
2- The attackers webpage opens. Inside this webpage, the original webpage is loaded as an iframe in a transparent manner.
3- As the user interacts with the attackers webpage he will actually be interacting with the transparent iframe.
Here is where I am confused. Why does the user even need to interact with the loaded webpage? Once the inner iframe is loaded you can have a javascript code to automate clicks on the page. Since this is all happening on the victims browser the target site will receive the victims session cookie and assume everythings fine.
Am I missing something here? Thanks in advance
Note: Please note this is a UI Redressing attack also known as click-jacking. This is different than phishing attacks.
The user wants to interact with the loaded webpage, because the user is not aware they are visiting a fake (inauthentic) page. I'm not 100% certain about the javascript, but I'm pretty sure the attacker wants to log the user's activity (e.g, keystrokes for a password).
I made a webpage which can provide some direct downloads. Therefore I only want real human, not crawler, to download my files. I tried to use Google reCAPTCHA but it is part of the webpage - visitors can still use the download links and doesn't have to worry about the reCAPTCHA at all. Is there a way to mandate visitors to pass the verification first? For example, is it possible to pop up reCAPTCHA before the whole page is loaded? If that's doable, how can I do it? Thanks!
What I can recommend here is the captcha form be on the current page that you have and create a new page with the download links that's not indexable.
Upon authorizing the captcha code, use header('Location: download.php'); or something similar to redirect the user.
A captcha before loading a webpage is possible, but it always uses client side code such as javascript which bots can easily bypass.
I have the next task - I have a page where we have some interaction logic:
After a user clicks a button, my script redirects the user to another site where it must be populate 2 textfields then click button, after redirect to new page it must click on another button.
My project is based on ASP.NET MVC4.
My questions are:
May I do all of this?
If yes, how can I redirect to another page and run my script
P.S.: Second web site isn't my site and everything I know is id of buttons where I need to click.
Elaborating on my comment
You cannot do this in a normal browser. You could write a bookmarklet or two that would navigate and click but there is no script you can write in a web page that will do what you want for security reasons. A long time ago, it was possible in IE to load a banking site into an iFrame and script and monitor user interaction to steal credentials. This has been blocked.
If you save an HTML page with the extension HTA, it can be loaded from harddisk in windows and will have relaxed security so you could load the other site into an iFrame and script the interaction. This is likely not what you want.
The last method is to use for example CURL to get the foreign page, insert stuff and submit the form to the foreign site and return the result. This is not recommended either.
So the question to you is: Why do you need this and are there other ways to do what you want
1) location.href = "http://another.page.com"
2) impossible for security purposes
With media players on site we use the History API and XHR to allow navigation through the site without causing page refreshes (i.e. causing the media to stop).
This works nicely until the following scenarios:
A. The user changes the URL in the address bar.
B. The user selects a bookmarked page.
C. The user clicks on a Facebook widget that requests another page.
Is there a way to intercept the changed URL and handle it without causing a page refresh, of course we are talking about URLs to the same domain here.
Have there been changes to the window.onbeforeunload event that means we can cancel the leave and obtain the new URL without informing the user?
window.onbeforeunload has not changed. And I think that what you are trying to do is not possible, since that would allow a malicious web page to prevent a user from ever leaving a page (unless he would close the browser/tab).
I'm using the Telerik RadWindow control in one of my applications. When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter.
However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected.
The control works just fine when the URL is pointed at a site other than Twitter. I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. Any advice on how to implement this functionality would be greatly appreciated.
Thanks in advance.
This behavior is probably caused by Twitter. In fact, it should happen on many other sites as well (Facebook and similar). To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. This way they can ensure that no rogue JavaScript will be running while the user enters their username and password.
Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up.
Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows.
The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. Best to just let your site do a full redirect for now.