iFrames have been getting a bad reputation lately thanks to some unscrupulous hackers, spammers and outright thieves using this cool feature for the installation of malware and/or invisibly running scripts on pages.

iFrame Security

The basics of iframe security.

Certain scripts for iframes will only work on the same domain

For security reasons, certain types of iframe scripts will only work if the target pages are on the same domain. Our resizeable iframe script is one such script.

iframe Script Injection

Scripts that run inside of an iframe, will affect the parent page.

Here are some examples where you can see how the scripts inside of an iframe will basically control someone's browser.

Hackers have been able to put 'invisible' iframes on pages, where they later can control the webpage. This can be used to log someone's ip address (privacy concern), inject code into their computer, infect them with viruses or even steal credit card numbers.

Most famously, there are some viruses coming out of hosts in Russia and China that automatically log into your FTP client, and they will install an invisible iframe on all pages in your hosting account that are named "index.html" and such.

Invisible iframe

An invisible iframe can be an iframe without any frameborders and only 1 pixel high by 1 pixel wide.

Here is a demonstration of some harmless code injections via an invisible iframe:

Here is an invisible iframe:------->

Try these links to see how scripts can be injected via an invisible iframe!
When you click on any of the links below, a page is loaded into the 'invisible' iframe that you cannot see, but the scripts will affect this browser session!
Alert injected via the invisible iframe
Popunder (it will open Yahoo!)
Disable BACK button (this would annoy your site's visitors for sure!)

Security Attribute in Internet Explorer

Microsoft IE6 and above let you turn off JavaScript in iframes. NOT Firefox or other browsers!

How it works:

The sSecure value must specify restricted. Because SECURITY is an attribute only, it must be defined in the frame element declaration. If a frame is restricted by the SECURITY attribute, all nested frames share the same restrictions.

The SECURITY attribute applies the user security setting Restricted Sites to the source file of a frame or iframe. (Zone settings are found on the Security tab of the Internet Options dialog box.)

This works in IE:
The SECURITY attribute affects the behavior of hyperlinks and forms inside a restricted frame or iframe in the following two ways
<IFRAME SECURITY="restricted" src="http://www.microsoft.com"></IFRAME>

<A HREF="javascript:alert('Disallowed in restricted FRAME or IFRAME!');">JavaScript Link</A>

To find out more about how this works, see the Microsoft Developers' Network page on iframe Security.

iframe Viruses and Trojans

The bad guys discover iframes and their vulnerabilities

How the bad guys exploit this:

There is currently a problem with the Win32/Rustock virus which puts the following iframe in every single index page on all of your hosting accounts. (index.php, index.htm, index.html, index.asp...).

Here is what it will look like in your code. If you see this as a link anywhere, DON'T click on it. We have inserted it here as an image to be extra safe in case we get some careless visitors. :)

iframe virus

If you see something like the above in your code, you have a problem. This is a rootkit virus.

How To Remove the Iframe Virus/Malware

This nasty virus is a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it will download all index and/or default files from all hosts where the FTP client has access. Next, this virus adds the iframe or javascript code, then logs into the FTP client an uploads these infected files.

This virus is known as:

  • Win32/Rustock
  • Trojan.Script.Iframe
  1. STOP using your FTP client
  2. After scanning your system carefully with an updated virus scan, download and install WinSCP and stop storing your passwords locally. Then change your passwords.
  3. Find the bug:
    To get the list of infected files, use either grep or find under any Shell prompt (you will need ssh access to the server):

or with find:

find $PWD \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "income" {} \;

Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:

find . -mtime -2

Will search all files that were modified in the last 48 hours

Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following:

Another way for the less tech savvy is to create a subdirectory on your PC and download all of your files back from the server, then use DreamWeaver's global search facility to find any hidden iframes.

How can you get this nasty bug?
1. A client side PC gets infected with the virus from search results.
2. The viirus gets FTP usernames and passwords from common FTP clients.
3. Using the username/password, the virus then downloads the index files, adds the iframe code to them and re-uploads it to the web server. The Russian viruses but this iframe RIGHT AFTER the <body> tag.
4. The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it spreads again!!!!

What to do?

  2. NEVER upload your FTP log when using WS FTP! Many people upload all the files in a directory including their log file which includes passwords.
  3. Ensure that your code is free from such kind of vulnerabilities.
  4. Change all the FTP passwords regularly and keep them safe and use a combination of alphabets + numbers + special characters.
  5. Before updating the new password in their FTP clients, perform a full system Virus scan with a reliable virus scanner updated with the latest virus definition files.
  6. Also try not to save (remember) the FTP username/password on FTP clients or public computers.
  7. Check the website files for any unrecognizable or encrypted codes that are not known to you or is not a part of the website's function. If found then please follow the above mentioned steps and update the web pages with the proper codes.
  8. Use WinSCP, which so far appears to be immune to these bugs.
  9. Keep a non-rewriteable CD or DVD ROM backup of all of your sites so you can do a quick restore!

But wait, it gets worse...
These fiends have now begun to infect .htaccess files, which nobody ever checks and do not even show up in your directory listings in most FTP clients!

More resources:


Other iframe Security Risks

A summary of some other risks...

Browser cross domain exploits

Since you can embed another entire web site inside of your page, you can exploit that page and perform actions that authorized users might wish to do on that site.

Find out more:
Safari beta 3.03 zero day

XSS/CSRF reflection attacks

Using iframes embedded onto a compromised site an attacker then can then direct attacks to other servers and infect new machines as outlined above. This is also known as creating "zombie" machines which the user can then control.

CSS and iframes can scan your LAN from the internet!

Through certain features of CSS used in concert with iframes a malicious hacker can check your ip address and see if it is possible to get your network address range. If so, and your system was set up using defaults, a hacker can quickly guess at your hardware's out of the box IP address.

See it done here:
CSS LAN scanner

Another way:

Here is a small iframe that will read your ip address... we do not do anything with it, but put it into an alert that will tell you your ip address when you click the link. A malicious hacker could theoretically use your ip address... which he/she can log and begin to expand and gather more information...

Run your mouse over the button to test it:

As you can see, it displays your ip address. We do not log ip addresses!

LAN scanning with Javascript and iframes

Using a methodology very similar to the one above, it is possible to get your LAN information using JavaScript.

See here:
Javascript LAN scanner

CSS iframe overlays

Iframes can be embedded inside each other in Firefox and you can alter their appearance to create seamless overlays with any site. This would make it very difficult for a user to know which site they are interacting with and fool them to performing an action.

See more:
Verisign OpenID exploit (now fixed)

URL redirection

Iframes also allow you to perform redirection so you can have access to URLs which normally wouldn't be accessible. In the delicious example, the POC redirects from delicious/home to your account bookmarks and then uses CSS overlays to display your first bookmark. Firefox and a delicious account are required for the POC.

Sample iFrame HTML

Below is a demonstration of two iframes. One with frameborders, and the other without. You can dynamically load different content by clicking on the two links below each frame. Page-2 is with a colored background so that you can easily see the boundaries of the iframe in the borderless example.

To direct a link to open inside of an iframe, the code is simple. You merely name the iframe, and then set the link as shown below. We have named our iframe "test". We then set the link to open in target="test".

Iframe with frameborders



page-1 | page-2 <--You can navigate by clicking on these links.

Iframe without frameborders



page-1 | page-2

View just the code for these iframes and the navigation.

>>>Close this section...


Can I use the "Align" attribute.

The "align" attribute is being deprecated by the folks at W3C - the official standards organization for the World Wide Web.

Can I embed an iframe within an iframe?

Yes. You can use an iframe to contain sub-iframes. There are some translation pages which use this. Here is an example:

Translation Polish

They use nested iframes.

How can I load another page at say, the halfway mark?

Yes, if it is on your domain and you have access to the code. Simply insert an anchor tag and direct the iframe to open there.

See our example on our samples page.

to top