CAPEC-222: iFrame Overlay
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
Last updated
Overview
While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Craft an iFrame Overlay page] The adversary crafts a malicious iFrame overlay page.
- The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.
- Step 2Exploit
[adversary tricks victim to load the iFrame overlay page] adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.
- Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.
- Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.
- Trick the victim to the malicious site through a cross-site scripting attack.
- Step 3Exploit
[Trick victim into interacting with the iFrame overlay page in the desired manner] The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
- Hide action controls over very commonly used functionality.
- Hide action controls over very psychologically tempting content.
What the attacker needs
Prerequisites
- The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system.
Skills required
- High skill: Crafting the proper malicious site and luring the victim to this site is not a trivial task.
Resources required
- None: No specialized resources are required to execute this type of attack.
Consequences
What a successful CAPEC-222 attack can achieve.
Modify Data
Affects: Integrity
Read Data
Affects: Confidentiality
Execute Unauthorized Commands
Affects: Authorization
Run Arbitrary Code
Gain Privileges
Affects: Accountability, Authentication, Authorization, Non-Repudiation
Bypass Protection Mechanism
Affects: Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-222.
- Configuration: Disable iFrames in the Web browser.
- Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.
- Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.
Examples
The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled "Don't Click." This button is aligned with the invisible "Update" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile.
Frequently asked questions
Common questions about CAPEC-222.
- What is CAPEC-222?
- In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
- How does a iFrame Overlay attack work?
- It typically unfolds over 3 phases. It begins with: [Craft an iFrame Overlay page] The adversary crafts a malicious iFrame overlay page.
- How do you prevent CAPEC-222?
- Configuration: Disable iFrames in the Web browser.
- What weaknesses does CAPEC-222 target?
- CAPEC-222 exploits 1 CWE weakness, including CWE-1021 (Improper Restriction of Rendered UI Layers or Frames).
- How severe is CAPEC-222?
- MITRE rates CAPEC-222 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-222
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.