Because the user is logged in and has a cookie, the victim site trusts the
user’s browser.
The attacker gets user/browser to execute command on victim site, e.g. request a
link, post a form. The command has permanent effects.
A frame can navigate its immediate children. Why is it designed such that it
can’t navigate its children too?
Consider a website with a login frame, where the user inputs passwords. The
attacker can put this website inside a frame and navigate to the login frame and
steal passwords.
A frame can navigate its immediate children. Why is it designed such that it can’t navigate its children too?
Consider a website with a login frame, where the user inputs passwords. The attacker can put this website inside a frame and navigate to the login frame and steal passwords.
...