A researcher discovered an SSRF vulnerability in PDFReactor that allowed reading local files including /etc/shadow and SSH keys by injecting iframe tags with file:// protocol wrappers, ultimately achieving RCE by stealing root-level SSH credentials.
An SSRF vulnerability was discovered in a PDF generator where the attacker bypassed character filters by exploiting a mobile app to inject an iframe payload using forward-slash spacing, then leveraged DNS rebinding to access internal endpoints like elmah.axd and exfiltrate error logs via the web app's PDF function.
A security researcher chained stored iframe injection with CSRF to achieve account takeover by injecting a malicious iframe into a discussion forum that, when loaded by an admin, silently executed a CSRF attack to change the victim's email address. The attack exploited HTML injection in the reply feature combined with an unprotected email change endpoint.
Clickjacking vulnerability in Google Docs where the absence of X-Frame-Options headers allows embedding the service in iframes, enabling attackers to trick users into activating voice typing and recording private conversations via microphone permissions.
A clickjacking vulnerability in Facebook's AJAX endpoint (/ajax/home/generic.php) lacked X-Frame-Options headers, allowing attackers to iframe and redress the UI to trick victims into adding attackers to secret groups or performing other unintended actions via form submission.
Security researcher discovered a $12,000 intersection of three vulnerabilities in a bitcoin gambling website's chat system: a denial-of-service flaw via malformed URLs that crash the JavaScript client ($2,000), combined with XSS through an unvalidated external redirect endpoint and clickjacking via iframe embedding that enables session hijacking ($10,000). The researcher exploited URL encoding edge cases and double-slash bypass techniques to achieve code execution within application context.
Researcher bypassed XSS protection filters using an iframe payload with data URI encoding to achieve stored XSS in a comment box, earning a $150 bounty within 30 minutes. The payload exploited the target's allowlisting of iframe tags while blocking standard script injection vectors.
A bug bounty hunter discovered a DOM-based XSS vulnerability by using Google dorking to find interesting endpoints, then identifying that user input after the URL fragment (#) was being reflected into an IFRAME tag without proper sanitization, allowing injection of JavaScript payloads.
Reflected DOM XSS vulnerability in silvergoldbull.com/bt.html exploitable via base64-encoded URL parameters, combined with clickjacking via iframe injection to steal user credentials through a fake login page. The vulnerability leverages obfuscated JavaScript that decodes and executes user-supplied parameters without proper sanitization.
A writeup demonstrating how to escalate a self-stored XSS vulnerability in an account profile field to steal credentials from other users by injecting a phishing form via iframe and exfiltrating login data to an attacker-controlled server.
DOM-based XSS vulnerability in Google Crisis Map discovered by bypassing client-side URL validation via request interception, then chained with missing X-Frame-Options header to enable clickjacking attacks on published maps. The vulnerability required users to click through an overlaid iframe to trigger JavaScript execution.