Frame Counting
October 1, 2020
Window references allow cross-origin pages to get access to some of the attributes of other pages. These references become available when using or allowing iframe and window.open. The references provide (limited) information about the window as they still respect the same-origin policy.
One of the accessible attributes is window.length which provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.
Websites commonly use frames (or iframes) and this choice doesn’t necessarily imply security issues. There are, however, cases where a website might change the number of frames on a page depending on some user information. For example, this could happen on a page that changes its layout depending on the GET parameters and the victim’s data. It might be possible for an attacker to infer information about the victim by measuring the value of window.length on different pages. Run demo
Code Snippet #
The below snippet demonstrates how to access the information about the number of frames on a cross-site page:
// Get a reference to the window
var win = window.open('https://example.org');
// Wait for the page to load
setTimeout(() => {
// Read the number of iframes loaded
console.log("%d iframes detected", win.length);
}, 2000);
Attack Alternatives #
In some cases, different application states have the same number of frames, preventing attackers from being able to distinguish them. However, continuously recording the frame count while the page is loading may show a pattern that might leak information to an attacker:
// Get a reference to the window
var win = window.open("https://example.org");
var pattern = [];
// In a loop, register the number of iframes at 60ms interval
var recorder = setInterval(() => {
pattern.push(win.length)
}, 60);
// Break the loop after 6 seconds
setTimeout(() => {
clearInterval(recorder);
console.log("The pattern is: %s", pattern.join(', '));
}, 6 * 1000);
Case Scenarios #
Some examples of frame counting attacks are:
- A website lets a user search for user information in a search engine. If the page structure has a different number of
iframesdepending on whether there are results to the user query, an attacker could use the XS-Search technique to leak those secrets. - A website structures the user profile page differently based on gender or other PII. An attacker can easily leak this information by opening the page and counting frames.
Defense #
| Attack Alternative | SameSite Cookies (Lax) | COOP | Framing Protections | Isolation Policies |
|---|---|---|---|---|
| iframes | ✔️ | ❌ | ✔️ | FIP |
| windows | ❌ | ✔️ | ❌ | NIP |
Real World Example #
A vulnerability reported to Facebook used this technique to leak user-related information such as specific content published in posts, religious information about friends, or photo locations1.
A vulnerability on GitHub demonstrates how private repositories could have been exposed using this technique as well.2.