IFrame Buster killer

on with Leave a reply

IFrames are very common and old technique to display the website content into other website. It’s globally accepted and used all over the web. While it’s famous, people also start thinking to secure their content. So website holders adding Iframe buster to stop access the site throw Iframe.

What is IFrame Busting.

IFrame Busting is nothing but a simple and single line Javascript code. This code will check your present URL and top URL same or not. If both not equal, script will redirect the page to original location. So Iframes are cracked and redirect to original page.

if(self !== top) { top.location = self.location; }

Anti-IFrame buster!

Seriously I don’t have exact solution here. But there are many investigation over Iframe buster to kill the one line disaster. Maybe useful to you in feature, if you may have the same issue.

Client side killer

I was trying to write some Anti-IFrame buster Javascript code to kill the buster. But it was not quite worked for me. There is a lot of discussion in forums like stack overflow.

Server side killer (Solution)

Actually this scenario works for me. You can do something like this before loading the Iframe. Scrape the web page and find the page has Iframe buster code or not. If you found Iframe buster code in source, then just show the message to use, we unable to load this page. I collected few Iframe buster codes that I listed below. You can write the PHP script and find it.

 

Option to disable js from IFrame

I thought in this way. If we can atleast able to disable the JS for Iframe content. We can escape the buster issue. Unfortunately the option doesn’t exist.

Possible Iframe Buster scripts

   top.location = self.location
   top.location.replace(self.location.href);
  window.parent.location.replace(self.location.href);
  top.location = self.location.href
  window.top.location = window.self.location 
  window.open(location.href, '_top');
  top.location.href = self.location.href;

 

Discussion between myself and DaveRandom in statckoverflow php chat room

Gowri:

I want to find the page has redirect or not, I tried to find it using curl. But there is no luck for me. My page is receiving the wesite url from curl request and adding to the iframe. The iframe is normally when I execute I am getting redirect to the orginal website. But Curl is not returning anything. I tried with curl parameter CURLOPT_FOLLOWLOCATION.

Curl request page only contains this

<iframe src=”http://www.crunchbase.com/”>Sorry, your browser doesn’t support iframes.</iframe>

IN the crunch base there is a Iframe buster code, So when I emebed it on my page it redirect.

DaveRandom:

Iframe buster relies on JS, PHP doesn’t execute JS so the redirect never happens
You might call it a “client-side redirect” – and being that it’s client side, the server will never know about it unless it truly emulates the client.

No, all cURL does is retrieve a string. It doesn’t know what it means, it’s the responsibility of the application consuming the library to figure that out

In theory you could knock something up with the V8 extension that would be able to detect stuff like that, but again all I can say is… have fun with that
@gowri Technically it’s the people who put the real site in an iframe who ruined your day, the fact that the “child” site has an iframe buster tells you that the people who put it in an iframe are the ones breaking the rules

Gowri:
I think to scrap and find it but. I am lazy do it . Because there many possiblities of js code can do Iframe buster,but even code can be in external file

I never want to put the person website into my site. I want to know the person is willing to share his site throw Iframe or not. There is technology ruined

DaveRandom:

Well, the thing is, even though they can be implemented in many ways they all work on the same fundamental mechanism at the end – changing window.location.href – so in theory if you can persuade the V8 extension to emulate a browser then you can reasonably easily detect it. But persuade the V8 extension to emulate a browser is non-trivial and possibly not even possible.

Enjoy the Buster 🙂

Posted in Cocktail and tagged by .

About Gowri

I am professional web developer with 4+ years experience. PHP, jQuery, WordPress, Magento and Symfony2 are my key skills in web development. I am working with strong enthusiastic team with spirit. We provide all web related solution like HTML/CSS development, Web graphic design and Logo.

Leave a Reply

Your email address will not be published. Required fields are marked *