Hacker News new | past | comments | ask | show | jobs | submit login

Maybe there's a side to it that I'm not aware, but as far as I know, it's become very difficult to run exploitable JS in an iframe.



cjc1083's proposed attack vector is an interstitial page which drops a Java/Flash 0-day on you and forwards you to your original target site, leaving you compromised and none the wiser. My point is that if you can even do the redirect in the first place, it's much simpler to just iframe in the attack page and do the drop directly rather than waiting on user input to do it in a manner that they might notice.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: