Websocket connections does not check iframe parents

Question

Websocket connections does not check iframe parents

RaulDoyensec opened this issue a year ago · 0 comments

When the websocket is created, it does not check if it has a parent windows to check if its inside an iframe. For that reason, when exploiting XSS, it will create two different "hooked browsers", one of them will not be able to use visual mode.

Also, as the proxy works using iframes, those iframes will create also another "hooked browser".