Hacker News new | ask | show | jobs
by homakov 4817 days ago
exactly, and vk.com (biggest social network in europe) is a showcase. They use such framebreaker:

   if (parent && parent != window && (browser.msie || browser.opera || browser.mozilla || browser.chrome || browser.safari || browser.iphone)) {
      document.getElementsByTagName('body')[0].innerHTML = '';
    }
It cannot be bypassed with NoContent trick by the way. Because it removes body, not navigates the parent
2 comments
tptacek 4817 days ago
Isn't that exactly the kind of framebuster Boneh says doesn't work?
link
homakov 4816 days ago
I don't think so, what bypasses this one? (besides sandbox and XSS Auditor trick)
link
tptacek 4816 days ago
Read the paper I posted up thread.
link
homakov 4816 days ago
Table 2: Frame busting conditional statement

we consider following tricks:

document.write('')

setTimeout(function(){document.body.innerHTML='';},1);

window.self.onload = function(evt){document.body.innerHTML='';}

None of them was bypassed further in the paper. (I used Ctrl+F)

link
homakov 4816 days ago
double checked http://seclab.stanford.edu/websec/framebusting/framebust.pdf there are many parent-navigation bypasses in this paper but nothing for innerHTML='' (not taking into account sandbox and xss auditor)
link
esailija 4816 days ago
What are the browser checks for?
link