Skip to content

Commit

Permalink
init
Browse files Browse the repository at this point in the history
  • Loading branch information
@opyate
opyate committed Apr 6, 2016
0 parents commit fea914b
Show file tree
Hide file tree
Showing 47 changed files with 5,764 additions and 0 deletions.
248 changes: 248 additions & 0 deletions 2015/09/10/security-considerations-of-using-a-secure-iframe-on-an-insecure-page.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="globalsign-domain-verification" content="ymX0NUSgRv8E1Waz2FeiQ-x7GoJOGzKydkbWi9zINZ">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title>Security considerations of using a secure IFRAME on an insecure page</title>
<meta name="description" content="In this essay I consider the information security implications around using a secure IFRAME (which, for example, hosts a payment or checkout page) on an inse...">

<link rel="stylesheet" href="/css/main.css">
<link rel="canonical" href="http://essays.uys.io/2015/09/10/security-considerations-of-using-a-secure-iframe-on-an-insecure-page.html">
<link rel="alternate" type="application/rss+xml" title="Unleash Your Server" href="http://essays.uys.io/feed.xml" />
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
</head>


<body>

<header class="site-header">

<div class="wrapper">

<a class="site-title" href="/">
<img src="/assets/logo/logob.png" alt="The Unleash Your Server logo" title="Unleash Your Server" height="120">
</a>

<nav class="site-nav">
<div class="trigger">


<a class="page-link" href="/clients.html">Clients</a>



<a class="page-link" href="/feed.xml">RSS</a>



<a class="page-link" href="/archive/">Archive</a>



<a class="page-link" href="/"></a>



<a class="page-link" href="/css/main.css"></a>



<a class="page-link" href="/projects.html">Projects</a>




























</div>
</nav>

</div>

</header>


<div class="page-content">
<div class="wrapper">
<div class="post">

<header class="post-header">
<h1 class="post-title">Security considerations of using a secure IFRAME on an insecure page</h1>
<p class="post-meta">
2015-09-10

under

<a class="post-tag security" href="/tag/security">security</a>

<a class="post-tag web" href="/tag/web">web</a>


</p>
</header>

<article class="post-content">
<p>In this essay I consider the information security implications around using a secure IFRAME (which, for example, hosts a payment or checkout page) on an insecure container page.</p>

<p>Some definitions:</p>

<ul>
<li>a “secure IFRAME” is one where its <code>src</code> attribute points to a domain over HTTPS, and any forms within the IFRAME submits to an HTTPS domain</li>
<li>an “insecure container page” is a “container” because it hosts the IFRAME (the HTML code for the page will have an <code>&lt;IFRAME&gt;</code> tag somewhere within it), and “insecure” because it was loaded over HTTP, not HTTPS.</li>
</ul>

<h1 id="opinions-in-the-wild">Opinions in the wild</h1>

<p><strong>TL;DR Regardless of how secure the IFRAME is, the container site can be compromised and render said security moot.</strong></p>

<p>Start typing “secure iframe” in Google, and note the suggestions:</p>

<ul>
<li><a href="https://www.google.co.uk/search?q=secure+iframe+in+non+secure+page">secure iframe in non secure page</a></li>
<li><a href="https://www.google.co.uk/search?q=secure%20iframe%20on%20unsecure%20page">secure iframe on unsecure page</a></li>
</ul>

<p>The search results point to related questions asked on the <a href="http://security.stackexchange.com/">Information Security Stack Exchange Q&amp;A site</a>, and a few blog posts by security experts have been written on the topic.</p>

<p>A non-exhaustive list of examples:</p>

<ul>
<li><a href="http://security.stackexchange.com/questions/38317/specific-risks-of-embedding-an-https-iframe-in-an-http-page">http://security.stackexchange.com/questions/38317/specific-risks-of-embedding-an-https-iframe-in-an-http-page</a></li>
<li><a href="http://security.stackexchange.com/questions/894/are-there-security-issues-with-embedding-an-https-iframe-on-an-http-page">http://security.stackexchange.com/questions/894/are-there-security-issues-with-embedding-an-https-iframe-on-an-http-page</a></li>
<li><a href="http://www.troyhunt.com/2014/11/does-insecure-website-compromise.html">http://www.troyhunt.com/2014/11/does-insecure-website-compromise.html</a></li>
<li><a href="http://stackoverflow.com/questions/3144986/http-and-https-iframe">http://stackoverflow.com/questions/3144986/http-and-https-iframe</a></li>
</ul>

<h1 id="mitm-primer">MITM primer</h1>

<p>MITM attack is a “man in the middle” attack.</p>

<p>When you sit in a coffeeshop, log on to their free Wifi, and frequent your favourite online shopping fix, your requests to see products and pay for products go through many “hops” before it actually reaches the destination: your browser connects to the Wifi access point, which connects to the coffee shop’s ISP via one hop or many, which connects to a common exchange somewhere in Britain via one hops or many, which connects to an exchange somewhere in another country via one hops or many (and almost definitely via a long undersea cable), which connects to the shopping site’s web server in a datacentre somewhere (and all together now!) via one hops or many.</p>

<p>Any of these “hops” can be compromised, but the typical scenario is for the attacker to host their own version of “free Wifi” right from their laptop with a legitimate-sounding name like “FreeHub”.</p>

<p>At this point the attacker’s laptop is just one more “hop” you’re totally oblivious to when you connect to “FreeHub”, letting your surfing activity through uninterrupted.</p>

<p>However, since the attacker now have access to the data stream between you and the outside world, she can now see the data. The crucial differentiator here is HTTP VS HTTPS: if you access a site directly via HTTPS, the attacker will see unintelligeble garbage. This is A Good Thing. If you access a site via HTTP, the attacker sees everything in the clear. Even if the website subsequently redirects to HTTPS, there’s an opportunity here for the attacker to spoof a TLS certificate.</p>

<p>Since the attacker now has a clear stream of data to intercept, the attacker can also change what your web browser sees (not you, necessarily).</p>

<h1 id="example-of-a-diy-mitm-attack">Example of a DIY MITM attack</h1>

<p>I’ll explore one example of exploiting an IFRAME (secure or not!) from an insecure container page. I’ll take some shortcuts in the sense that I won’t set up a compromised Wifi access point, or run software which injects malicious code into intercepted web traffic.</p>

<p>Clone <a href="https://gist.github.com/opyate/5dd65f5529d9508cf78e">this gist</a>, or follow these steps:</p>

<p>Create this simple index file:</p>

<figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;p&gt;</span>IFRAME below<span class="nt">&lt;/p&gt;</span>
<span class="nt">&lt;iframe</span> <span class="na">id=</span><span class="s">&quot;frame1&quot;</span> <span class="na">src=</span><span class="s">&quot;http://localhost:8000/i-dont-matter.html&quot;</span><span class="nt">&gt;&lt;/iframe&gt;</span></code></pre></figure>

<p>Create this simple form which will be loaded by the IFRAME:</p>

<figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">&quot;https://httpbin.org/post&quot;</span> <span class="na">method=</span><span class="s">&quot;POST&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">&quot;secret&quot;</span> <span class="na">placeholder=</span><span class="s">&quot;Secret stuff here&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">&quot;submit&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;/form&gt;</span></code></pre></figure>

<p>Host the code locally with Python:</p>

<pre><code>python -m SimpleHTTPServer
</code></pre>

<p>Go to <a href="http://localhost:8000">http://localhost:8000</a> in your browser, and submit the form. <a href="http://httpbin.org/">HTTPBin</a> will echo back the payload.</p>

<p>Now, reload the page, but open your browser’s dev tools, and paste the code from the hack into the JavaScript console:</p>

<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">var</span> <span class="nx">contents</span> <span class="o">=</span> <span class="s1">&#39;&lt;form action=&quot;https://httpbin.org/post&quot; method=&quot;POST&quot;&gt;&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;&lt;input name=&quot;secret&quot; placeholder=&quot;Secret stuff here&quot;&gt;&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;&lt;input type=&quot;submit&quot; onclick=&quot;return hack()&quot;&gt;&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;&lt;script type=&quot;text/javascript&quot;&gt;&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;function hack() { alert(&quot;h4x0rz&quot;); }&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;&lt;/script&gt;&#39;</span><span class="p">;</span>
<span class="nx">contents</span> <span class="o">+=</span> <span class="s1">&#39;&lt;/form&gt;&#39;</span><span class="p">;</span>
<span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s1">&#39;frame1&#39;</span><span class="p">).</span><span class="nx">src</span> <span class="o">=</span> <span class="s2">&quot;data:text/html;charset=utf-8,&quot;</span> <span class="o">+</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">contents</span><span class="p">);</span></code></pre></figure>

<p>This is the MITM attack. This is what the attacker could do with the “in-the-clear data stream” we discussed before. The attacker simply matched on a known token (like the form submit button) and injected custom code with which to do evil.</p>

<p>Submit the form, and see the side effect.</p>

<p>Note that the IFRAME’s contents have been entirely modified. It was even made to look like the original content. The fact that the IFRAME’s <code>src</code> attribute previously loaded a secure site DOES NOT MATTER.</p>

<p>Consider yourself alerted.</p>

<h1 id="what-evil-side-effects-are-there">What evil side effects are there?</h1>

<p>OK, so the JavaScript <code>alert</code> you just saw is just for show, but consider this:</p>

<ul>
<li>the attacker sends the sensitive data you just submitted off to their own domain to be harvested à la <a href="http://www.fastcompany.com/1715575/tunisian-government-allegedly-hacking-facebook-gmail-accounts-dissidents-and-journalists">Tunisia</a></li>
<li>the attacker changes the delivery address for the expensive item you just bought to the unused address down their street</li>
</ul>

<h1 id="who-cares-about-my-site">Who cares about my site?</h1>

<p>Your insecure site might’nt accept sensitive input like payment details or sell valuable items, but your insecure site might be frequented by someone who does.</p>

<p>An attacker might know that a high profile (read: hack-worthy) individual called Bob Millionaire frequents your insecure pet discussion website. Let’s imagine for a second your forum software requires a login. <strong>Your insecure website has now become a target.</strong></p>

<p>The attacker will now trivially sniff for Bob Millionaire’s password on your insecure website, which she can replay against other more lucrative websites, if we can <a href="http://media.ofcom.org.uk/news/2013/uk-adults-taking-online-password-security-risks/">presume that Bob Millionaire re-uses his passwords</a>.</p>

<p>Even if you’re just the third party who owns the domain the IFRAME points to, you have to <strong>strongly consider if you want to be associated with the bad press which comes with your client’s website being exploited</strong> and having the IFRAME which was destined for your content being on the receiving end.</p>

<h1 id="the-solution">The solution</h1>

<p>Can we get to a better place by mandating all container sites to enforce TLS? I think we can. But this will just be a better place, not the ultimate secure place.</p>

<p>There’s a sliding scale, you see.</p>

<p>On the paranoid end you can presume every device and every network is compromised. No amount of TLS will help you. You can trust your own laptop as much as you do the web browser running on the old XP PC down the Internet cafe: you’ll think twice about what you do online, and where you do it. (yes, a modified version of any web browser can show a green padlock for anything)</p>

<p>On the naive end you can presume that you live in a free country, with devices built in secured facilities by known brands, and that the websites you frequent are hosted in secure datacentres, managed by security veterans who can be trusted.</p>

<p>Choose your position on the scale, and accept the risk that’s forthcoming.</p>

</article>

</div>

</div>
</div>

<footer class="site-footer">
<div class="wrapper">
&copy; Copyright Unleash Your Server 2013 &mdash; 2016
</div>
</footer>
<script type="text/javascript" src="/js/main.js"></script>


</body>

</html>
132 changes: 132 additions & 0 deletions 2015/09/15/can-you-embed-a-secure-iframe-on-a-secure-site.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="globalsign-domain-verification" content="ymX0NUSgRv8E1Waz2FeiQ-x7GoJOGzKydkbWi9zINZ">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<title>Can you embed a secure IFRAME inside a secure container site?</title>
<meta name="description" content="In a previous essay I discussed the security implications of hosting an IFRAME on an insecure container page. The follow-up question is whether it’s actually...">

<link rel="stylesheet" href="/css/main.css">
<link rel="canonical" href="http://essays.uys.io/2015/09/15/can-you-embed-a-secure-iframe-on-a-secure-site.html">
<link rel="alternate" type="application/rss+xml" title="Unleash Your Server" href="http://essays.uys.io/feed.xml" />
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
</head>


<body>

<header class="site-header">

<div class="wrapper">

<a class="site-title" href="/">
<img src="/assets/logo/logob.png" alt="The Unleash Your Server logo" title="Unleash Your Server" height="120">
</a>

<nav class="site-nav">
<div class="trigger">


<a class="page-link" href="/clients.html">Clients</a>



<a class="page-link" href="/feed.xml">RSS</a>



<a class="page-link" href="/archive/">Archive</a>



<a class="page-link" href="/"></a>



<a class="page-link" href="/css/main.css"></a>



<a class="page-link" href="/projects.html">Projects</a>




























</div>
</nav>

</div>

</header>


<div class="page-content">
<div class="wrapper">
<div class="post">

<header class="post-header">
<h1 class="post-title">Can you embed a secure IFRAME inside a secure container site?</h1>
<p class="post-meta">
2015-09-15

under

<a class="post-tag security" href="/tag/security">security</a>

<a class="post-tag web" href="/tag/web">web</a>


</p>
</header>

<article class="post-content">
<p>In a <a href="/2015/09/10/security-considerations-of-using-a-secure-iframe-on-an-insecure-page.html">previous essay</a> I discussed the security implications of hosting an IFRAME on an insecure container page. The follow-up question is whether it’s actually possible to host a secure IFRAME inside a secure container page, and if all browsers will allow this.</p>

<p>My gut feeling said that this should be possible, because the IFRAME has its own <a href="http://www.w3.org/TR/html/browsers.html#nested-browsing-contexts">browsing context</a>. Browser support is a different question though, so I conducted a <a href="https://github.com/opyate/securesecure">quick experiment</a>.</p>

</article>

</div>

</div>
</div>

<footer class="site-footer">
<div class="wrapper">
&copy; Copyright Unleash Your Server 2013 &mdash; 2016
</div>
</footer>
<script type="text/javascript" src="/js/main.js"></script>


</body>

</html>
Loading

0 comments on commit fea914b

Please sign in to comment.