Insecure Iframe Configuration
ID |
html.insecure_iframe |
Severity |
high |
Resource |
Access Control |
Language |
Html |
Tags |
CWE:91, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4, PCI-DSS:6.5.6 |
Description
This rule identifies HTML <iframe> elements that lack proper security restrictions or use dangerous sandbox attribute combinations. Iframes represent a significant attack surface for clickjacking, content injection, and context leakage attacks when not properly configured.
Rationale
Iframes embed external content within a web page, creating a trust boundary that must be carefully controlled. Improperly configured iframes expose applications to multiple severe security risks:
Clickjacking Attacks: Without proper sandboxing, malicious iframes can overlay invisible elements over legitimate UI components, tricking users into performing unintended actions like transferring funds or changing account settings.
Cross-Site Scripting (XSS) via Iframe: Iframes without the sandbox attribute execute scripts with full privileges. If the iframe source is compromised or user-controlled, attackers can execute arbitrary JavaScript in the context of the parent page.
Same-Origin Policy Bypass: The dangerous combination of allow-scripts and allow-same-origin in the sandbox attribute completely negates iframe security. Scripts running in the sandboxed iframe can access and modify the parent document, effectively bypassing all sandbox restrictions.
Data Exfiltration: Unsandboxed iframes can access cookies, localStorage, and other sensitive client-side data, potentially leaking authentication tokens or personal information to malicious domains.
Top-Level Navigation: Without sandboxing, iframes can navigate the top-level window, enabling phishing attacks where the entire page is replaced with a fake login screen.
Plugin and Popup Abuse: Unrestricted iframes can launch plugins, open popups, and trigger downloads without user consent, facilitating malware distribution.
Consider the following code:
<!-- Completely unsandboxed - full privileges to external content -->
<iframe src="https://external-site.com/widget"></iframe>
<!-- Dangerous combination - sandbox is effectively bypassed -->
<iframe src="https://untrusted-ads.com/banner"
sandbox="allow-scripts allow-same-origin"></iframe>
<!-- User-controlled source without sandboxing -->
<iframe src="https://example.com/preview?url=USER_INPUT"></iframe>Malicious iframe content can exploit these configurations:
// In the unsandboxed iframe at external-site.com
top.location = 'https://phishing-site.com/fake-login';
// With allow-scripts + allow-same-origin
parent.document.cookie; // Access parent cookies
parent.localStorage.getItem('auth_token'); // Steal tokens
parent.document.querySelector('form').submit(); // Perform actions
// Clickjacking overlay
var overlay = parent.document.createElement('div');
overlay.style.position = 'absolute';
overlay.style.opacity = '0';
parent.document.body.appendChild(overlay);Remediation
Always apply the sandbox attribute to iframes, especially those embedding external or untrusted content. Use the principle of least privilege by only enabling necessary permissions, and never combine allow-scripts with allow-same-origin.
Vulnerable Patterns:
<!-- No sandbox attribute -->
<iframe src="https://external-widget.com/embed"></iframe>
<!-- Dangerous combination that bypasses all security -->
<iframe src="https://ads.example.com"
sandbox="allow-scripts allow-same-origin"></iframe>
<!-- Too permissive -->
<iframe src="https://untrusted.com"
sandbox="allow-scripts allow-forms allow-popups allow-same-origin"></iframe>Secure Patterns:
<!-- Minimal sandbox - no scripts, isolated origin -->
<iframe src="https://external-widget.com/embed"
sandbox=""></iframe>
<!-- Allow only forms, no scripts -->
<iframe src="https://survey.example.com"
sandbox="allow-forms"></iframe>
<!-- Safe combination - scripts allowed but different origin -->
<iframe src="https://trusted-partner.com/calculator"
sandbox="allow-scripts"></iframe>
<!-- Multiple safe permissions -->
<iframe src="https://video-player.com/embed"
sandbox="allow-scripts allow-presentation"></iframe>Content Security Policy Enhancement:
For defense in depth, combine iframe sandboxing with CSP:
<meta http-equiv="Content-Security-Policy"
content="frame-src 'self' https://trusted-domain.com;
sandbox allow-scripts;">Sandbox Attribute Reference (safe combinations):
-
Empty sandbox (
sandbox="") - Maximum security, no privileges -
allow-forms- Only allow form submission (safe alone) -
allow-modals- Allow alert/confirm dialogs (safe alone) -
allow-popups- Allow window.open (use cautiously) -
allow-presentation- Allow fullscreen API (safe with scripts) -
allow-scripts- Allow JavaScript (NEVER with allow-same-origin) -
allow-same-origin- Treat as same origin (NEVER with allow-scripts)
Critical Rule: NEVER use allow-scripts and allow-same-origin together. This combination allows the iframe to remove its own sandbox attribute via JavaScript, completely bypassing all restrictions.