[WEB SECURITY] Anti frame-busting code in Internet Explorer

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

I thought a few of the webappsec hackers on the list would find this  
interesting and I hadn't seen it mentioned before. During webappsec  
talks, I typically recommend liberal use of JavaScript frame-busting  
code:

<script>
if(top != self) top.location.href = location.href;
</script>

Many websites use this technique. The code prevents the framing or  
iframing in of your website for nefarious purposes. Or so I thought.  
After a talk at Stanford University, Collin Jackson (Ph.D Student)  
let me know that he had Anti frame-busting code working in IE:

<iframe src="fool.html" security=restricted></iframe>
* pay attention to the "security=restricted

Sure enough, it works. According to Collin, "Internet Explorer will  
not allow the JavaScript frame-busting code inside the iframe to  
execute, because the frame is now in the "Restricted Zone."

More information and a demo available here:
http://crypto.stanford.edu/framebust/

I'm not sure how far the security ramifications go, but I thought it  
was cool none the less.

Regards,

Jeremiah-


-----------------------------------------------------------
Jeremiah Grossman
Founder and Chief Technology Officer
WhiteHat Security, Inc.
www.whitehatsec.com
-----------------------------------------------------------






---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/