Can I use iframe XSS?
I have a site, let's call it parent.com, that embeds a third party plugin from child.com in an iframe. I have found a XSS vulnerability on child.com.
The embedded page from child.com contains a form that POSTs to another page on the same domain. I can exploit the vulnerability by submitting the form. I intercept the POST request with Burp, and insert my payload into it. The payload is then executed.
My problem is that the payload runs inside the iframe on the child.com domain. My goal is to compromise parent.com (in order to win a bug bounty). Is it possible to use this vulnerability to accomplish that somehow? For example, can I somehow make the form submit to parent.com instead?
Iframes XSS have a special tag called "sandbox" that sets how to treat the content of the iframe. Using that tag, you can granularly set permissions to allow an iframe to interact with the parent. Normally iframes are pretty restrictive as to how they can affect a parent when loaded from a different domain, but if you see things like: allow-same-origin, allow-scripts, allow-top-navigation, etc then there may be case specific ways to exploit it.
[edit] Most cases of iframe XSS attacks do not actually involve injecting arbitrary code into the parent website. Instead they are typically one of the following: You take control of the child website, and replace it with something like a fake login form to make people think that they are logging into the parent website to access the content, when you are really phishing their credentials. You distribute a "useful" service that other programmers embed in their sites that you actually use to phish private information. Then you pray on people's trust of these other websites to get them to give you something useful. For example: a tax bracket calculator that asks for your name, address, and SSN. Instead of parent.com, you make an evil twin website called parents.com that contains parent.com inside of an iframe so that it behaves just like the real site, but your version of the website is collecting the end user's private information. So, the most likely way for you to be able to exploit this scenario would be if you could replace the form with something that looks like a login form for parent.com and post not to parent.com, but to something that you actually control to steal user credentials.