Recently I discussed the general problems of objects and it's context in which they maybe behave like IFRAMES. Strictly speaking HTML's multimedia features allow the OBJECT HTML to include images, iframes, applets and other rich content like Flash. Previously HTML did allow content to be fetched from an applet as well. To embed another document, whether local or remote, we can utilize the IFRAME, the FRAMESET or the OBJECT.

Generic embedding of content.

The w3c specification below shows all possible attributes that are allowed for an OBJECT[1]

<!ELEMENT OBJECT – – (PARAM | %flow;)*
— generic embedded object –>
<!ATTLIST OBJECT
%attrs; — %coreattrs, %i18n, %events —
declare (declare) #IMPLIED — declare but don't instantiate flag —
classid %URI; #IMPLIED — identifies an implementation —
codebase %URI; #IMPLIED — base URI for classid, data, archive–
data %URI; #IMPLIED — reference to object's data —
type %ContentType; #IMPLIED — content type for data —
codetype %ContentType; #IMPLIED — content type for code —
archive CDATA #IMPLIED — space-separated list of URIs —
standby %Text; #IMPLIED — message to show while loading —
height %Length; #IMPLIED — override height —
width %Length; #IMPLIED — override width —
usemap %URI; #IMPLIED — use client-side image map —
name CDATA #IMPLIED — submit as part of form —
tabindex NUMBER #IMPLIED — position in tabbing order —
>

Embed content via an OBJECT.

Normally, CODEBASE and CLASSID are used to fetch data for an OBJECT, similar for APPLETS. However, the DATA attribute makes makes it possible to render an OBJECT as an embedded IFRAME as we can see in the example below. In figure 1 we see a regular IFRAME that is successfully blocked by NoScript. Figure 2 shows an OBJECT that is rendered as an IFRAME, successfully bypassing the IFRAME protection.

http://www.0x000000.com/images/iframeobject.gif

The code below allows for remote embedding as seen in figure 2.

<object data=”http://www.google.com” width=”200″ height=”200″></object>

This will successfully fetch the document residing on a remote server, and start to act as an IFRAME. The latest version of NoScript allows it's users to block iframes in order to protect themselves from “Clickjacking”. Whether or not Clickjacking works with Iframes, I do not know since the details are not released by Hansen, Grossmann et al[2]. Certainly NoScript's current protection will fail if an OBJECT is used to replace an IFRAME, making it vulnerable for bypassing it's protection a priori.

[1] http://www.w3.org/TR/REC-html40/struct/objects.html
[2] http://ha.ckers.org/blog/20080915/clickjacking/
source: OWASP News