Critical Thinking - Bug Bounty Podcast

Episode 119: Abusing Iframes from a client-side hacker

Apr 17, 2025

Dive into the intriguing world of iframes and discover their hidden significance in web security. Learn about the vulnerabilities they pose and how attackers can exploit them through tactics like clickjacking. The discussion highlights essential attributes of iframes, along with fun facts that might surprise even seasoned security researchers. Join the conversation and uncover strategies for identifying and mitigating these risks in the ever-evolving landscape of cybersecurity.

33:54

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Iframes, while useful for embedding content, pose serious security risks such as clickjacking and unauthorized access to sensitive data.

Understanding iframe attributes like source, allow, and sandbox is crucial for preventing sophisticated attacks and enhancing web security.

Deep dives

Understanding Iframes and Their Importance

Iframes, or inline frames, are HTML elements that allow for embedding another web page within a page, which can be leveraged for both useful and malicious purposes. One of the primary vulnerabilities associated with iframes is clickjacking, where an attacker could manipulate a user into clicking on elements in an invisible iframe, potentially granting unauthorized access to sensitive information. This makes the exploration of iframe vulnerabilities crucial for understanding potential security risks, particularly in scenarios involving authorization processes. Effective exploitation of iframes requires an understanding of their attributes and the contexts they create for interaction with other domains.

Exploring Iframes: Vulnerabilities and Exploits in Web Security

34min

Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them.

CORRECTION: Some of my comments on the latest episode of the pod were woefully inaccurate about the `csp` attribute of an iframe. Def should have read the spec more thoroughly. Please see the #corrections channel in Discord for the deets.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Episode with JR0ch17

ctbb.show/61

Exacerbating Cross-Site Scripting: The Iframe Sandwich

https://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/

====== Timestamps ======

(00:00:00) Introduction

(00:01:20) Why are Iframes useful

(00:05:11) Attributes of Iframes

(00:21:39) Iframe Attacks

(00:29:53) Iframe Fun Facts

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Critical Thinking - Bug Bounty Podcast

Episode 119: Abusing Iframes from a client-side hacker

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Understanding Iframes and Their Importance

Key Vulnerabilities and Attack Vectors with Iframes

Manipulating Iframe Attributes for Exploitation

Effective Attacks Using Iframes

Remember Everything You Learn from Podcasts