The other script was very simple, but a little more interesting – the code (prettified) is shown below:
The code essentially enumerates all iframes within the page and attempts to remove any deemed to be suspicious (set to be invisible, or with small width/height) with a different name attribute to that above. Hence the title of this blog entry – “Defensive Iframing“.
To illustrate the script in action, consider a page containing content loaded from 4 iframes (green, blue, orange and black). The page is then compromised with a malicious iframe added (“red cross”), together with a script that sequentially removes all other iframes.
You get the idea.
Exactly how successful the technique is at preventing other malicious iframes delivering their payload before they are removed depends on a number of factors. Not least exactly when the
check_content() function is called and the position of the various elements within the page. Brief testing suggests there are browser-dependencies that affect the timing of events as well.