7 replies [Last post]
gfisch
gfisch's picture
Offline
Regular
Last seen: 15 years 23 weeks ago
Joined: 2005-03-04
Posts: 21
Points: 0

i don't know if the use of iFrame is off Topic enough but I thought this is a clever idea.
Use the simple iFrame command and control the content via css

what do you think about this?
Should iFrames be used at all?

I read somewhere that you can use iFrames for hacking.
Is this true?

Here comes the text

-----------------

Re: help! is it CSS style sheet or iframe or target???
ACJ, 031204 06:25

Well, I can only guess at what you're doing, but it really SHOULD be working.
Here's a little test scenario.

index.html markup:

<html>
<head>
<title>iframe with external style sheet</title>
<link rel="stylesheet" type="text/css" href="index.css" />
</head>
<body>
<p>
This <em>is not</em> within an <code>iframe</code>, and should be displayed in <strong style="color:red">red</strong>.
</p>
<iframe src="iframe.html">
<p>
You browser does not support <code>iframe</code>s.
Not somthing to cry about, really.
</p>
</iframe>
</body>
</html>

 

The markup of iframe.html (to which is refered in index.html):

<html>
<head>
<title>iframe with external style sheet</title>
<link rel="stylesheet" type="text/css" href="iframe.css" />
</head>
<body>
<p>
This <em>is</em> within an <code>iframe</code>, and should be displayed in <strong style="color:green">green</strong>.
</p>
</body>
</html>

 

The content of index.css:

p { color: red }

 
The content of iframe.css:

p { color: green }

 

I put up test page on which you can see the results.
The link automization of this forum would break the link because of the tilde, so I will show you the URL without the http.
Just copy the URL and paste it into the address field of your browser.

home.planet.nl/~acjbizar/tests/200312040508.html

Sincerly,

ACJ

ip3e834e71.speed.planet.nl

Re: help! is it CSS style sheet or iframe or target???
ACJ, 031204 06:54

I put up a permanent link to the example. For future reference.
I should probably start indexing these things.

http://home.planet.nl/~acjbizar/tests/200312040508/

(source: http://milov.nl/forum/1/930)

Tags:
thepineapplehead
thepineapplehead's picture
Offline
Guru
Last seen: 21 weeks 10 hours ago
Joined: 2004-06-30
Posts: 9668
Points: 801

iFrame CSS hacking

1. I'm confused.

2. Where's the doctype? Laughing out loud

Verschwindende wrote:
  • CSS doesn't make pies

DCElliott
DCElliott's picture
Offline
Leader
Halifax, Canada
Last seen: 3 years 14 weeks ago
Halifax, Canada
Timezone: GMT-3
Joined: 2004-03-22
Posts: 828
Points: 0

iFrame CSS hacking

Quote:
control the content via css

I'm not sure what you mean by that - don't you mean style, not content? An iframe creates a secondary viewport which renders another HTML file and that file can have its own stylesheet - no biggie, there, really - just normal behavior per design.

As for having no doctype, as a "proof of concept" example I'm not too concerned - we get a bit doctype happy around here sometimes. However, if you are posting a "why doesn't this work in browser X" question, by all means get your doctype squared away.

Pineapplehead - please don't feel I am singling you out because we all do this from time to time - pick on a detail that doesn't affect the question asked and then not answer the question. (And I agree it was hard to find the question in that post)

DE

David Elliott

Before you ask
LearnXHTML|CSS
ValidateHTML|CSS

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 5 years 31 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

iFrame CSS hacking

gficsh,

why do you ask the question:

"I read somewhere that you can use iFrames for hacking.
Is this true?"


Iframes have been known to be used as part of an 'exploit'

Is this partly your interest ? Smile

When you post please do your level best to make your posts as clear as possible.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

gfisch
gfisch's picture
Offline
Regular
Last seen: 15 years 23 weeks ago
Joined: 2005-03-04
Posts: 21
Points: 0

iFrame CSS hacking

Hugo wrote:
gficsh,

why do you ask the question:

"I read somewhere that you can use iFrames for hacking.
Is this true?"


Iframes have been known to be used as part of an 'exploit'

Is this partly your interest ? Smile

When you post please do your level best to make your posts as clear as possible.

Hugo.

sorry for being not precise.
Yes - I read this too - iFrames have been used as exploits and therefore I am wondering if it is "safe" to use them at all.

If it would be ok to use them - the CSS trick would be very handy.

What I found is
http://securityresponse.symantec.com/avcenter/venc/data/iframe.exploit.html
and
http://securityresponse.symantec.com/avcenter/venc/data/iframe.exploit.html

But does that mean that you shoud not use iFrames yourself?

gfisch

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 5 years 31 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

iFrame CSS hacking

It's ok to use them if you use them in a benevolent way, I don't think they're going to be interefered with as such by a third party.
They are a deprecated element and not much favoured in standards circles though, which is why you wont hear much good said about them..

One of the problems with them - and I guess how they are used as part of an exploit - is the fact that there is an attribute that set to 'yes' allows them to treated as a 'trusted application' by IE and to download hta script plus the fact that you can set the border to transparent blending them with the host page background.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

gfisch
gfisch's picture
Offline
Regular
Last seen: 15 years 23 weeks ago
Joined: 2005-03-04
Posts: 21
Points: 0

iFrame CSS hacking

Hugo wrote:
It's ok to use them if you use them in a benevolent way, I don't think they're going to be interefered with as such by a third party.
They are a deprecated element and not much favoured in standards circles though, which is why you wont hear much good said about them..

One of the problems with them - and I guess how they are used as part of an exploit - is the fact that there is an attribute that set to 'yes' allows them to treated as a 'trusted application' by IE and to download hta script plus the fact that you can set the border to transparent blending them with the host page background.

Hugo.

good info - thanks. Well I agree - they are ancient elements but quite handy - at least for my use. I can keep a lot of sites appear up-to-date just by inserting an iFrame with new content. Now beeing able to change one css file and one iFrame object and have ALL sites (that recieve the content) changed in style and content is pretty powerfull.

I am wondering. If you want to convert a static site without CSS to one which is connected to an external CSS file - how would I do it?
a) go through EVERY page manually and insert and control the code
b) search & replace all files of the site?

gfisch

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 5 years 31 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

iFrame CSS hacking

Well every page would need a link to the external css file, how you achieve that is up to you , manually - a pain for lots of pages 'search and replace' great if you can do that, your choice really.

As for the Iframes and inserted content, PHP is the way to go IMO.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me