Steal postmessage modifying iframe location
Changing child iframes locations
According to this writeup, if you can iframe a webpage without X-Frame-Header that contains another iframe, you can change the location of that child iframe.
For example, if abc.com have efg.com as iframe and abc.com didn't have X-Frame header, I could change the efg.com to evil.com cross origin using, frames.location
.
This is specially useful in postMessages because if a page is sending sensitive data using a wildcard like windowRef.postmessage("","*")
it's possible to change the location of the related iframe (child or parent) to an attackers controlled location and steal that data.
Last updated