iframe

An IFrame (Inline Frame) is an HTML document embedded inside another HTML document on a website. The IFrame HTML element is often used to insert content from another source, such as an advertisement, into a Web page. Although an IFrame behaves like an inline image, it can be configured with its own scrollbar independent of the surrounding page's scrollbar. A Web designer can change an IFrame's content without requiring the user to reload the surrounding page. This capacity is enabled through JavaScript or the target attribute of an HTML anchor. Web designers use IFrames to embed interactive applications in Web pages, including those that employ Ajax (Asynchronous JavaScript and XML), like Google Maps or ecommerce applications. In 2008, hackers seeded Internet search results with malicious IFrame code, leading to IFrame overlay attacks on many prominent websites, including those for USA Today and ABC News. The attackers inserted IFrame code into the saved search results of legitimate websites. When a visitor clicked on a link from the compromised search tool, he would be redirected to a malicious website by the IFrame code. The unsuspecting user's computer would then be vulnerable to the automatic download of malware. This was last updated in January 2015 Posted by: Margaret Rouse Related Terms DEFINITIONS car hacking - Car hacking is the manipulation of the code in a car's electronic control unit (ECU) to exploit a vulnerability and gain control of other ECU units in the vehicle. (WhatIs.com) man-in-the-middle attack (MitM) - A man-in-the-middle attack is one in which the attacker secretly intercepts and relays messages between two parties who think they are communicating directly with each other. (SearchSecurity.com) fileless infection (fileless malware) - Fileless malware is written directly to RAM rather than being installed and existing in a device's hard disc storage. Because the malware doesn't exist as a file, it can elude intrusion prevention ... (WhatIs.com) GLOSSARIES Malware - Terms related to malware, including definitions about viruses and Trojans and other words and phrases about malicious software. Internet applications - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ... how to defend against iframe attacks? Embedding an image, iFrame or other content in a way that that is invisible to a user is an old attack method that dates back many years to when images were the same color as the background. Hacker group Fluffi Bunni performed one of the most infamous iFrame or banner attacks when the group forced securityfocus.com to serve up compromised ads. IFrame attacks have increased with the widespread adoption of ad networks and the increasing inclusion of content from third-party sites via iFrames. While there are valid uses for iFrames when including content from external websites, enterprises need to trust the security of the content they receive from all sites. In a blog post, Symantec outlined some of the weaknesses exploited in attacks via iFrames, including potential browser and SSL certificate security flaws. Enterprises can protect their customers from iFrame attacks by not using iFrames to include content from third-party sites. Instead, all of the content can originate from the enterprise's website as securityfocus.com did during its encounter with Fluffi Bunni, but this option can cause problems when pulling in new ads. Enterprises can also take a hybrid approach, where the content that would be included in the iFrame is downloaded to the server, checked for malware or potentially malicious external references by a Web reputation service for all external links and then publish locally. To stop malicious links or JavaScript, the content can be changed into benign image files.