[Javascript] Get iframe html

Discuss the many weaknesses of browser security and ways to mitigate the threat

[Javascript] Get iframe html

Post by TheJjokerR on Fri May 20, 2011 1:27 am
([msg=57592]see [Javascript] Get iframe html[/msg])

Hey there,

Basically on my site, people that are logged into it and visit "example.com/?dosomething=1", can do stuff to their account their.

I've already posted successfully to that site, using the token I found in the hidden field of a form on that page(that was the easy part). Now I want to open the site in an iframe, get the html content of that site, get the token, post to that site with the token and do something to their account.

The token is also stored in a meta tag on another page if there's an easier way to get that meta tag.

Problem here is the javascript same domain policy.. I can't use PHP or another server-side scripting language because that would result in getting a forbidden page, as the server isn't logged into the targets account(obviously)

How can I get the HTML contents of the iframe or the meta tag of the site in the iframe.

Thanks
TheJjokerR
New User
New User
 
Posts: 6
Joined: Fri May 20, 2011 1:21 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by Goatboy on Fri May 20, 2011 2:23 am
([msg=57593]see Re: [Javascript] Get iframe html[/msg])

You can do this with Perl, Python, or anything with decent networking support. Look up cURL for how to interact with websites from within a program.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by TheJjokerR on Fri May 20, 2011 3:51 am
([msg=57598]see Re: [Javascript] Get iframe html[/msg])

Goatboy wrote:You can do this with Perl, Python, or anything with decent networking support. Look up cURL for how to interact with websites from within a program.


Aye, I understand real well that this can easily be done with any programming language, but I really need to have this on a website, not a program that has to be downloaded.

That is why I ask for a way to do it in Javascript :P
TheJjokerR
New User
New User
 
Posts: 6
Joined: Fri May 20, 2011 1:21 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by Goatboy on Fri May 20, 2011 4:56 am
([msg=57599]see Re: [Javascript] Get iframe html[/msg])

TheJjokerR wrote:I really need to have this on a website, not a program that has to be downloaded.

Can you explain a bit more? If this is anattack experiment you're trying then I would still strongly suggest Python or Perl. The only reasons I could think of you needing to do it in JS are if you are trying to perform some sort of XSS or if you want to do this quickly from any browser. However, these two links might help:

http://roneiv.wordpress.com/2008/01/18/ ... d-firefox/
http://stackoverflow.com/questions/9269 ... javascript

Still a little unclear on what you want, but try that. As for actually posting the data:

http://stackoverflow.com/questions/1339 ... orm-submit
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by TheJjokerR on Fri May 20, 2011 5:02 am
([msg=57601]see Re: [Javascript] Get iframe html[/msg])

Alright, let me clarify,

The url in the iFrame is on a remote website, I don't have access to it's source so I can't change anything on that website.

The first 2 links you posted wont work, because of javascripts' limitations to it's own domain, e.g: if I were to try on of em on the iframe, as soon as I use .contentDocument or .document I will get a security warning and the script will stop running.

The last link is what I am doing after this step, I want to post like that and that works fine, but I need a security token for it to get accepted by the server. I found this token manually, but now I need to automate it. So whenever someone goes to the website, it gains the security token and posts 'pretending to be them' in a hidden iframe to the site.

Without the security token this wont work, so I need a way to get the source of the page so I can grab the token, and post with it.

This could also be done by:
- Load page we have here in an invisible iframe,
- Fill the form automaticaly,
- submit it.

Yet I have no idea how to fill the form that is in the iframe :/
TheJjokerR
New User
New User
 
Posts: 6
Joined: Fri May 20, 2011 1:21 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by Gamemania on Fri May 20, 2011 8:03 am
([msg=57606]see Re: [Javascript] Get iframe html[/msg])

Why do you need to fill the form when you can make a form and point it to the same url?
And as for grabbing the content, why not use a server-side language?
I mean, you have all the information to make an iframe, why not just feed that information to your script? (And maybe get its result, AJAX?)


TheJjokerR wrote:
Goatboy wrote:You can do this with Perl, Python, or anything with decent networking support. Look up cURL for how to interact with websites from within a program.


Aye, I understand real well that this can easily be done with any programming language, but I really need to have this on a website, not a program that has to be downloaded.

That is why I ask for a way to do it in Javascript :P


You have PHP, ASP, Perl, etc. of choice that you don't need to download to make it work you know
Gamemania
New User
New User
 
Posts: 4
Joined: Tue May 17, 2011 3:43 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by TheJjokerR on Fri May 20, 2011 8:57 am
([msg=57609]see Re: [Javascript] Get iframe html[/msg])

Problem is with server side scripting, the user wont be logged in. If I use javascript and open the website I need, the target will still be logged in (seeing how 9/10 select "Remember Me"). With that information I can get the security token from their account and post back using my own form.
TheJjokerR
New User
New User
 
Posts: 6
Joined: Fri May 20, 2011 1:21 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by Gamemania on Fri May 20, 2011 9:21 am
([msg=57611]see Re: [Javascript] Get iframe html[/msg])

That would be plainly impossible
Because if that was possible, every user's account on every site would be hacked by just embbeding an iframe and steal the frame's information
Gamemania
New User
New User
 
Posts: 4
Joined: Tue May 17, 2011 3:43 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by TheJjokerR on Fri May 20, 2011 9:27 am
([msg=57612]see Re: [Javascript] Get iframe html[/msg])

Gamemania wrote:That would be plainly impossible
Because if that was possible, every user's account on every site would be hacked by just embbeding an iframe and steal the frame's information


Ok, well it wouldn't get everyones account hacked, seeing how you wouldn't be able to see the password anywhere. The site I'm trying to exploit has a different way to retrieve the password, what I was trying to do should work to recover passwords without them being mine.

Anyways, I might just do this in a simple program that loads the html source and reads it, yet I have no idea how to make sure that firefox and internet explorer's sessions remain active :/
TheJjokerR
New User
New User
 
Posts: 6
Joined: Fri May 20, 2011 1:21 am
Blog: View Blog (0)


Re: [Javascript] Get iframe html

Post by Goatboy on Fri May 20, 2011 2:35 pm
([msg=57614]see Re: [Javascript] Get iframe html[/msg])

TheJjokerR wrote:The site I'm trying to exploit ...

Careful now.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests