Basic Information

This form of abusing XSS via iframes to steal information from the user moving across the web page was originally published in these 2 post from trustedsec.com: here and here.

The attack start in a page vulnerable to a XSS where it’s possible to make the victims don’t leave the XSS by making them navigate within an iframe that occupies all the web application.

The XSS attack will basically load the web page in an iframe in 100% of the screen. Therefore, the victim won't notice he is inside an iframe. Then, if the victim navigates in the page by clicking links inside the iframe (inside the web), he will be navigating inside the iframe with the arbitrary JS loaded stealing information from this navigation.

Moreover, to make it more realistic, it’s possible to use some listeners to check when an iframe changes the location of the page, and update the URL of the browser with that locations the user things he’s is moving pages using the browser.

Moreover, it's possible to use listeners to steal sensitive information, not only the other pages the victim is visiting, but also the data used to filled forms and send them (credentials?) or to steal the local storage...

Ofc, the main limitations are that a victim closing the tab or putting another URL in the browser will escape the iframe. Another way to do this would be to refresh the page, however, this could be partially prevented by disabling the right click context menu every time a new page is loaded inside the iframe or noticing when the mouse of the user leaves the iframe, potentially to click the reload button of the browser and in this case the URL of the browser is updated with the original URL vulnerable to XSS so if the user reloads it, it will get poisoned again (note that this is not very stealth).