When using iFrame in a web page it is important to configure it as a sandbox and set only the attributes need to run.
The below infromation and sandbox attributes can be found here … https://www.w3schools.com/tags/att_iframe_sandbox.asp
“The sandbox attribute enables an extra set of restrictions for the content in the iframe.
When the sandbox attribute is present, and it will:
- treat the content as being from a unique origin
- block form submission
- block script execution
- disable APIs
- prevent links from targeting other browsing contexts
- prevent content from using plugins (through <embed>, <object>, <applet>, or other)
- prevent the content to navigate its top-level browsing context
- block automatically triggered features (such as automatically playing a video or automatically focusing a form control)
The value of the sandbox attribute can either be just sandbox (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.”
To get a better understanding of using iFrame attributes there is an example here …
Python Script to find iFrames
This script which will look at a websites url and search for “<iframe”, “</iframe>” and “sandbox=” which would indicate there is an iframe on the website and is it is sandboxed.
Below is an example of the script finding an iFrame on a website with a sandbox value.
At the moment there is a problem if the website is behind a WAF, this looks to be down to the how the certificate is managed.