xss iframe - Brave Search

OWASP Foundation

owasp.org › www-community › attacks › Cross_Frame_Scripting

Cross Frame Scripting | OWASP Foundation

To exploit a Cross Site Scripting on a third-party web page at example.com, the attacker could create a web page at evil.com, which the attacker controls, and include a hidden iframe in the evil.com page. The iframe loads the flawed example.com page, and injects some script into it through the XSS flaw.

radware.com › cyberpedia › application-security › iframe-injection-xss

iFrame Injection XSS | Radware

An iframe is a HTML webpage that is embedded inside another webpage on a website, allowing for the inclusion of content from external sources, such as advertising, on webpages.

Videos

DO NOT USE alert(1) for XSS - YouTube

IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF - YouTube

★ ★ ★ Client-side XSS Protection (XSS) - YouTube

XSS through Iframe injection: Bug Bounty Tips - YouTube

Bug Bounty Hunting - iframe Injection & HTML Injection - YouTube

Bugcrowd SVG iframe xss - YouTube

December 27, 2016

hackerone.com › reports › 1200770

Report #1200770 - XSS trigger via HTML Iframe injection ...

Hi team, I found an Iframe injection issue where I chained it and formed an XSS. I found the issue in the text editor area while ███████ing the account. There is a place in the registration area where we have to give a reason for █████████. We can write our reason and edit to show more beautifully.

developer.mozilla.org › en-US › docs › Web › Security › Attacks › XSS

Cross-site scripting (XSS) - Security | MDN

HTML attribute contexts: inserting input as HTML attribute values is sometimes safe and sometimes not, depending on the attribute. In particular, event handler attributes like onblur are unsafe, as is the src attribute of the <iframe> element.

portswigger.net › web-security › cross-site-scripting › cheat-sheet

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security Academy

xmp <xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><span id=x>test</span></xss>

github.com › FreshRSS › FreshRSS › security › advisories › GHSA-wgrq-mcwc-8f8v

XSS by embedding <script> tag inside <iframe srcdoc>

June 3, 2025 - HTML is being sanitized improperly inside the <iframe srcdoc> attribute, which leads to XSS by loading an attacker's UserJS inside <script src>

zscaler.com › blogs › security-research › xss-embedded-iframes

XSS Embedded IFrames | Zscaler

April 2, 2025 - Because the original parameter is displayed on the page without any sanitization for this type of encoded HTML, it is possible for this XSS to take place. The encoded HTML in each case is hexadecimal encoded HTML: </title><iframe src=//ask5.eu> which decodes to a closing tag for the query string, followed by the malicious iframe to embed:

alsolaiman.medium.com › a-deep-dive-into-iframe-src-attribute-leading-to-a-stored-xss-f191c3c67749

A Deep dive into <iframe> src=”” attribute leading to a Stored XSS | by Abdullah AlSolaiman | Medium

April 19, 2022 - I tried to add a YouTube link and the surprise was that the backend injects what you enter into and <iframe src=”YouTubeLink”>. I was happy, Finally, I can execute JavaScript easily. ... So what popped into my mind an always-used payload for XSS attacks which is the Data URI Scheme .

Find elsewhere

Google Bing Mojeek

coopergyoung.com › home › cyber security blog › exacerbating cross-site scripting: the iframe sandwich

Exacerbating Cross-Site Scripting: The Iframe Sandwich - Cooper Young

February 15, 2026 - However in the case of an Iframe Sandwich, the maliciously injected JavaScript comes from a trusted subdomain (like stores.<site>.com). Since this subdomain is embedded as an iframe within www.<site>.com/stores, the XSS payload is able to change the content of the iframe because they share the same origin.

book.hacktricks.xyz › home › pentesting web › xss cross site scripting › iframes in xss and csp

Iframes in XSS, CSP and SOP - HackTricks

If an attacker can inject or upload a same-origin HTML page and load it in an iframe, the child frame can read top.document.querySelector('[nonce]').nonce and mint new <script nonce> elements. This turns a same-origin HTML injection into full script execution even under strict-dynamic (because the nonce is already trusted). The following gadget escalates a markup injection into XSS:

security.stackexchange.com › questions › 197032 › use-xss-vulnerability-in-iframe-to-compromise-parent

Use XSS vulnerability in iframe to compromise parent?

Iframes have a special tag called "sandbox" that sets how to treat the content of the iframe. Using that tag, you can granularly set permissions to allow an iframe to interact with the parent. Normally iframes are pretty restrictive as to how they can affect a parent when loaded from a different domain, but if you see things like: allow-same-origin, allow-scripts, allow-top-navigation, etc then there may be case specific ways to exploit it.

[edit] Most cases of iframe XSS attacks do not actually involve injecting arbitrary code into the parent website. Instead they are typically one of the following:

You take control of the child website, and replace it with something like a fake login form to make people think that they are loging into the parent website to access the content, when you are really phishing their credentials.
You distribute a "useful" service that other programmers embed in their sites that you actually use to phish private information. Then you pray on people's trust of these other websites to get them to give you something useful. For example: a tax bracket calculator that asks for your name, address, and SSN.
Instead of parent.com, you make an evil twin website called parents.com that contains parent.com inside of an iframe so that it behaves just like the real site, but your version of the website is collecting the end user's private information.

So, the most likely way for you to be able to exploit this scenario would be if you could replace the form with something that looks like a login form for parent.com and post not to parent.com, but to something that you actually control to steal user credentials.

No this is likely not possible as iframes are restrictive by nature. Remember that all an iFrame is, is a simple GET request to the site included as the source, and then embedding it onto the parent site and allowing further interaction with it. You have describe a POST-XSS vulnerability within the child site, which would be very difficult to automatically trigger in an iframe as it is yet again, only a GET request.

Theoretically speaking you could obviously find a browser exploit which would allow you to execute javascript from a child site into a parent site, but such a thing is much more valuable than any bounty on the parent site. Additionally it would likely still not work in your case, as again you only have POST-XSS.

It is useful to note that although iFrames are restrictive as pointed out by other users and myself, there is an exception made for the javascript: URI. Take for example an iframe like so:

<iframe src="javascript:alert(0)"></iframe>

If this was on a website, not only would you get an alert, but it would be an alert on the 'parent site' as technically there is no child site. This is interesting behavior and proves that iFrames aren't always so 'restrictive'.

trustedsec.com › home › blog › persisting xss with iframe traps

TrustedSec | Persisting XSS With IFrame Traps

March 19, 2025 - Instead of a fake login page, we'll use the ability to spoof the address in the URL address bar to make it appear that the iframe the user is trapped in is the actual page they're on. As they navigate the application, our JavaScript will retrieve the URL from the iframe they're navigating and copy it into the browser URL address bar, hiding their actual location which is the page with the XSS JavaScript.

Price $

Address 3485 Southwestern Boulevard, 44333, Fairlawn

imperva.com › home › lessons learned from exposing unusual xss vulnerabilities

Lessons Learned From Exposing Unusual XSS Vulnerabilities | Imperva

July 10, 2024 - The vulnerability discovered can be exploited through a two-step process involving both the leakage of a secret token and the exploitation of a DOM XSS issue. Here’s how it works: ... The developers seem to have confused `window.parent` with `window.top`, which is an easy mistake since they often behave similarly. Here’s the difference: `window.top` references the topmost window in the hierarchy, while `window.parent` references the direct parent of the current window. The ZoomInfo Chat script loads the chat user interface using an iframe that points to “https://{user}.widget.insent.ai.” The widget uses `window.top.postMessage` to send information, including a secret token, back to the parent window.

portswigger.net › web-security › cross-site-scripting › dom-based

What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy

In this example, the src attribute points to the vulnerable page with an empty hash value. When the iframe is loaded, an XSS vector is appended to the hash, causing the hashchange event to fire.

invicti.com › blog › web-security › cross-frame-scripting-xfs-vulnerability

Cross-Frame Scripting Attacks

January 13, 2021 - Cross-site scripting (XSS) means ... Cross-frame scripting (XFS) means snooping on the user after tricking them to visit a malicious site that contains an iframe with a legitimate page....

qrvey.com › blog › embedded analytics › why iframes are considered a security risk and how to secure them

2026 Iframe Security Risks and 10 Ways to Secure Them

November 26, 2025 - Small businesses often lack the ... vulnerability is real and increasingly exploited. Cross-Site Scripting (XSS) attacks are particularly dangerous when combined with iframes....

qualityminds.com › en › angular-security-part-2-proactive-xss-protection-with-the-iframe-sandbox

Angular Security Part 2 – Proactive XSS Protection with iframe Sandbox - QualityMinds

January 15, 2026 - Users start reporting that they can’t access your app. You brace for impact, expecting something to be on fire in the backend, but everything checks out.

acunetix.com › websitesecurity › cross-site-scripting

What is Cross-site Scripting (XSS): prevention and fixes

February 18, 2025 - However, IFrames are still very effective for pulling off phishing attacks.

invicti.com › learn › cross-site-scripting-xss

Cross-Site Scripting (XSS) Vulnerability Guide

Because the malicious JavaScript runs in the context of a trusted domain, it can access session cookies, interact with APIs, modify the DOM, and perform actions as the victim. XSS is therefore a form of injection attack that exploits how web browsers interpret dynamic HTML and JavaScript code.

github.com › halo-dev › halo › security › advisories › GHSA-x3rj-3x75-vw4g

Halo Editor's iframe tag has a stored XSS vulnerability

September 1, 2024 - This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack.