This test page demonstrates a security vulnerability where an iframe is given both form submission and script execution capabilities through the sandbox attribute, creating potential phishing risks.
allow-forms and allow-scripts sandbox
directives without proper navigation restrictions, enabling sophisticated phishing attacks.
Test Case
<iframe
src="../assets/iframe-content.html"
sandbox="allow-scripts allow-forms"
width="100%"
height="300"
></iframe>Explanation
While allowing forms and scripts individually in a sandbox is often necessary for functionality, the combination creates elevated risks:
- Scripts can dynamically create and manipulate forms
- Forms can be pre-filled with misleading information
- Form submissions can be intercepted and data exfiltrated
- Form targets can be dynamically changed
- The combination enables sophisticated social engineering attacks
When allow-forms and allow-scripts are combined without proper navigation restrictions, malicious content could trick users into submitting sensitive information.
How Pink Sock detects this issue:
Pink Sock analyzes the sandbox attribute on iframe elements and flags the combination of allow-forms and
allow-scripts without proper user activation requirements as a medium-severity security issue,
especially for cross-origin content.
How to fix:
Consider these approaches to mitigate the risk:
- Only allow one capability if possible (forms or scripts but not both)
- Add user activation requirements for navigation
- Restrict form submission targets
- Implement proper Content Security Policy (CSP)
If both capabilities are needed, add user activation requirements:
<iframe
src="../assets/iframe-content.html"
sandbox="allow-scripts allow-forms allow-top-navigation-by-user-activation"
width="100%"
height="300"
></iframe>This ensures navigation can only occur after explicit user interaction, reducing the risk of automatic form submissions to malicious endpoints.
Additional Information
Risk Assessment
The risk level of this vulnerability depends on several factors:
| Factor | Lower Risk | Higher Risk |
|---|---|---|
| Content Origin | Same origin, trusted source | Cross-origin, third-party content |
| Navigation Capabilities | No navigation allowed | Unrestricted navigation |
| Content Type | Static, verified content | Dynamic, user-generated content |
| Context | Non-sensitive information | Financial or authentication context |
Attack Vector Example
A malicious iframe with form and script capabilities could:
- Create a form that visually mimics a legitimate authentication form
- Pre-fill the form with contextually relevant information (through JavaScript) to increase credibility
- Use scripts to validate input, creating the impression of a legitimate form
- Submit the form to an attacker-controlled endpoint
- Show a success message and redirect to maintain the illusion of legitimacy
Defense in Depth
Beyond sandbox restrictions, consider implementing:
- Content Security Policy (CSP) with form-action directive to restrict submission targets
- Subresource Integrity (SRI) for loaded scripts
- Cross-Origin Resource Sharing (CORS) restrictions
- X-Content-Type-Options header to prevent MIME sniffing
- Anti-CSRF tokens for important forms