1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[rep] iframe questions

Discussion in 'Black Hat SEO Tools' started by Grandslam, Mar 28, 2010.

  1. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    If you answer this and actually know what you're talking about, I'll +rep you for helping me out. After all, that's the whole point of rep, right? Please don't bother if you're just guessing.

    1. Do iframes pass on cookies? (saw a post about this and thought I'd ask)

    2. What does the site in the iframe show as the referrer? The site url the iframe is placed on, a blank referrer, framed.php, or something else?

    3. Is there anyway the site in the iframe can tell its being iframed (i.e. only portion of page is being viewed) if you take care of the referrer issue? If there is, would scroll bars take care of this? (seen iframes with scroll so you could scroll and view every part of the page, just not everything at once)

    Thanks!
     
    • Thanks Thanks x 1
  2. kenblack

    kenblack Regular Member

    Joined:
    Feb 10, 2010
    Messages:
    365
    Likes Received:
    193
    Location:
    Tropical Paradise
    Home Page:
    1. Yes
    2. On modern browsers, the page that hosts the iframe is the referrer.
    3. Unless the target page scrapes your site to detect how it is being loaded, then no. Some sites like gmail, etc. bounce out of frames/iframes as part of their normal loading process.
     
    • Thanks Thanks x 1
    Last edited: Mar 28, 2010
  3. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    Kenblack, thank you for your clear and concise answer, +rep added.

    Say it wasn't a modern browser- what would the referrer show up as? And what are the lowest versions of of IE and FF that are considered modern browsers? What % of US internet users would you say have a modern browser?

    Also, let's say I bought a domain that redirected to the page I wanted to be redirected to, and I used the redirecting domain as the url for the iframe - would the referrer be the redirecting domain? Or would it still be the page the iframe is located on? Please ask for clarification if that was too wordy and/or didn't make sense - sometimes its difficult to describe something when typing it out.

    Laso, can anyone confirm what kenblack has said? I'd just like to hear a second opinion.
     
    Last edited: Mar 28, 2010
  4. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Kenblack I was under the assumption that IE's default privacy setting silently rejects 3rd-party cookies from sites that don't have a generic privacy policy.

    Also, I don't think that your site would have to be scrapped in order for a target to figure out it was being iframed. Combined with a little ajax, even the basic "(top.location != self.location)" method to break out of iframes can be made to communicate information back to the server...:eek:
     
    • Thanks Thanks x 2
  5. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    So if the site doesn't break out of iframes (unlike associated content which does apparently), you're in the clear?


    Also, looking forward to your reply kenblack -just wanted to let you know so you wouldn't think I forgot about your previous reply. ;)
     
  6. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    See I'm not so sure about that. I'm just going on my limited js/ajax knowledge, but I would think if the basic iframe breaker:
    Code:
    <script type="text/javascript">
     if (top.location != self.location) 
    {
     // break out of iframe
     top.location = self.location.href
    }
    </script>
    
    was modified to something like this
    Code:
    <script type="text/javascript">
     if (top.location != self.location) 
    {
     // call some function that uses XMLHTTP object to pass current url to server
     SendRequest(location.href)
    }
    </script>
    
    the condition (page being framed) would be met and the ajax function would be called, but the iframe would not be broken.
     
  7. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    What if you faked the referrer by using a domain that's sole purpose was to redirect to the end site?
     
  8. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    The way I see it is the problem isn't your referrer leaking, it's that now the target site can detect when a particular page is being iframed (location.href), and silently place it a database or something. A compliance person (either at the network or advertiser) could look over that database from time to time to see what affiliates (by looking at url arguments) are iframing what offers.
     
  9. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    Is there any way you can do some detective work and find out whether what you're wanting to iframe has this measure in place?
     
  10. kenblack

    kenblack Regular Member

    Joined:
    Feb 10, 2010
    Messages:
    365
    Likes Received:
    193
    Location:
    Tropical Paradise
    Home Page:
    I read something a while ago.. I think it was CPA God or the like, which has the ability to place CPA ads in an iframe and also masks the referrer. Basically doing exactly what you are looking for. I don't think it's of much use for things other than CPA though.
     
  11. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    What's the difference between faking and masking?
     
  12. kenblack

    kenblack Regular Member

    Joined:
    Feb 10, 2010
    Messages:
    365
    Likes Received:
    193
    Location:
    Tropical Paradise
    Home Page:
    There are no differences. Just two ways to say the same thing. It is referrer faking.
     
  13. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    So faking the referrer would solve the problem then huh?

    Do you have any input regarding the location.href issue Grizzy was talking about?
     
  14. kenblack

    kenblack Regular Member

    Joined:
    Feb 10, 2010
    Messages:
    365
    Likes Received:
    193
    Location:
    Tropical Paradise
    Home Page:
    Grizzy has a good point regarding javascript use.

    For example, refer to this website:
    Code:
    http://www.thesitewizard.com/archive/framebreak.shtml
    which describes how to bust out of frames. I believe this would also be the same for iframes.

    The only way around this (if the CPA network tests for it), is to fake your referrer to be the same as document.location.href. (the page that hosts the iframe).
     
    • Thanks Thanks x 1
  15. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Yea as long as you knew what to look for. I would test the iframe (not with your affiliate url of course), and watch each and every http header request with firebug or live http headers or something. I would also do the same with the url but not iframed. If you see anything different in the headers when you iframed the offer, there is your indication something is being triggered.


    hmm I'm not sure if your getting what I'm saying here. The referrer plays no part in the iframe being detected. If the target page has the break out code on it, and that page is framed, the JS condition is met and any code associated to it is executed.

    The use of location.href is just an example of what is possible here, there is more code that could be used to gather information when that breakout code is triggered. But if a cpa network could store the address of a url whenever it is framed (regardless of the referrer), then it makes sense they could also look at the trailing url arguments (?affid=xxxx) and that could tell them that affiliate xxxx is iframing.

    Hope that makes sense.
     
    • Thanks Thanks x 2
  16. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    Great advice. What would I need to look for specifically in live http headers? Like what type/piece of text/code should I be looking for to see if they can detect iframes?
     
  17. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Well I would try and do something like this:

    First test the offer with out the iframe. Start live http headers, click on your affiliate link and wait for the advertisers landing page to load. Copy the results of the live http headers tab into notepad.

    Now test the iframed offer. Like I said, maybe best to do this with someone elses affiliate link and on a domain that won't be linked to you (maybe I'm way to paranoid but better safe then sorry..). Start live http headers and load the page that has the iframed offer in your browser. Again copy the live http results into a notepad document. Of course there are going to be a few headers at the top those results that have to do with your actual domain you iframed the offer on, so you can ignore or delete those.

    Now you have one notepad file with the http requests from your offer non-iframed and one notepad file with the http requests from your offer iframed.

    Basically all you are going to do is compare the two. If you see POSTs or GETs in the iframed headers that you dont see in the non-iframed headers, that could be a pretty good indication that something funny is going on. Really what you are looking for could be any GET or POST that looks out of place, so the best thing to do is to make sure you have a solid understanding of what each and every headers purpose is. You may have to do a little research into http protocol if your not already familiar with this stuff..

    Unfortunately this is not a 100% sure fire method to find out if your iframe is being detected, there could be other ways a target site could do this without having to use ajax (making looking at the headers less reliable). In fact, I really don't understand why partial iframing hasn't been eliminated by the networks and advertisers... I'm sure they could do it if they wanted to, as I have all ready thought of two other ways to do this since I first posted in this thread that would be very hard to thwart

    I don't really want to go into these other methods here however. PM me if you want to talk more.
     
    • Thanks Thanks x 1
  18. Grandslam

    Grandslam Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    966
    Likes Received:
    313
    Wow, you should be at least jr vip just because of your shear knowledge on this topic - for you to even have 2 other fresh ideas about how to thwart iframing is very impressive. If you get jr vip, you have my vote for executive vip.

    I will PM you if I feel the need to hear your take on your 2 iframing theories, but before I do that lets see what I find using your above tutorial. I rather not waste any more of your time if I can help it.

    Thanks again, I really appreciate all your help.
     
    • Thanks Thanks x 1