Iframe security threats

Translated by juney mm, freebuf author

The security of Web applications is always an important issue because websites are the first target of malicious attackers. Hackers use websites to spread their malware, worms, spam, and others. OWASP summarizes the most dangerous security vulnerabilities in Web applications, but is still actively discovering new vulnerabilities and new web attack methods.
Hackers are always looking for new ways to trick users. Therefore, from the perspective of penetration testing, a network administrator needs to view every vulnerability and weakness that may be exploited to intrude into the system. Many automated tools and manual technologies are available to test common vulnerabilities, such as SQL injection, cross-site, security error configuration, and other vulnerabilities, however, we need to note the variants of these vulnerabilities. SQL injection is quite dangerous because attackers can access the database and steal the user and administrator information of the website. If attackers hijack a user information or redirect a visitor to a malicious site, the visitor's trust in the website will be compromised.
In this article, we will discuss iframe attacks in HTML code. iframe is a technology that can be used to embed some files (such as documents and videos) in HTML pages. The simplest explanation of iframe is that "iframe is a technology that allows other page content to be displayed on the current page ".
The security threats of iframe are also discussed as an important topic, because the use of iframe is common and is used by many well-known social websites. The iframe method is as follows:
Example 1:
<Iframesrc = "http: // www.2cto.com"> </iframe>
This example shows other sites on the current page.
Example 2:
<Iframesrc = 'HTTP: // www.2cto.com/'width = '000000' height = '000000' style = 'visibility: Den den; '> </iframe>


 
Iframe defines the width and height, but the frame visibility is hidden, so it cannot be displayed. Because these two attributes occupy an area, attackers generally do not use them.
Now, it can be completely hidden from the user's sight, but iframe can still run normally. Watch film:
 
The URL of the Infosec Institute site is used here. Attackers can insert other malicious URLs.
Obfuscation of iFrame injection attacks
Obfuscation of iframe injection is a dangerous and tricky attack, because it is hard to detect and difficult to detect malicious injection code on websites. Obfuscation is intended to hide interactions, making it difficult to discover injected code. This type of attack aims to trick users into redirecting to a third-party website and exploiting it. If you use iframe injection to control a website, you can easily find and locate the injected code. However, if you use a obfuscation iframe injection attack, it is difficult to find the injected code.
Let's look at an example. A website is under control and is redirected or displayed to sell some items on other web pages. Visitors trust your website and they often buy items here, then you need to clear your website frequently to prevent such attacks. A simple method is to retrieve possible iframe index pages and redirect code. Assume that you have reviewed it, but no third-party URLs are found. At present, there is no third-party URL to describe what? Some attackers may use the social engineering technology for web attacks. Suppose there is such a piece of code:
 
This code looks normal, but after decoding using java, it is as follows:


 
This looks like a legal code. Attackers use legitimate Code such as "GPL", "wp", and "Java" with caution, but there are actually problems. The Code seems to be in hexadecimal format. After decoding with a hexadecimal decoder, the Code is as follows:
 



The actual result is:
<Iframesrc = 'HTTP: // freebuf.com/'width = '1' height = '1' style = 'visibility: hidden; '> </iframe>
Now we can imagine why obfuscation of iframe injection attacks is hard to find.
How to clear Iframe injection code
The accident may be detected by anyone at any time. If your website has been hacked, they inject malicious iframe code into your website, please stay calm, you can take effective measures to protect the identity and confidential information of visitors. WordPress websites seem to be the most active targets of iframe injection attacks. Hackers generally redirect users to malicious sites or use cross-origin browser vulnerabilities to control victims. Therefore, this chapter will discuss how to take effective actions to defend against iframe injection attacks.
1. Close the website and display messages for routine maintenance. Closing the website immediately is a good action to prevent malware from spreading on the victim's computer.
2. Create a backup site (core files, databases, and all other folders ). Even if it is an infected site, backup is also necessary. If some error operations are performed during the cleaning process, they can be restored to the same situation before.
3. Make sure your computer is not infected with malware or viruses. If you are not sure whether your computer is infected, perform a security cleaning. This is a necessary step because malware may be able to record FTP creden.
4. modify all website-related passwords (FTP password, SSH password, Admin password, Cpanl or other host panel passwords, database passwords, and so on ).
5. If your website requires a clean backup, Use anti-virus software to scan it once. Then, upload it to your Web server and check the functions. If the problem persists, manually check the file to determine the injected code.
6. If there is no clean backup, manually find the injected code and delete it. In this article, we have analyzed two types of iframe injection (simple iframe injection and hidden iframe injection). If possible, according to the previous program, analyze possible injections (we recommend that you back up each change ).
7. Make sure the website no longer has injection code. We recommend that you find the root cause of the problem. You need to find out how attackers inject and prevent attacks in the future. The following are the most common causes:
Outdated CMS (Content Management System) software (ensure that all software and plug-ins are updated to the latest version)
Vulnerabilities in server software
FTP and other creden leaked
Application vulnerabilities (in Web application code)
8. The computer must have anti-virus software. Do not forget to scan your computer before the website establishes an FTP connection. It is not recommended to save the FTP and SSH passwords.