Can an attacker change the src attribute in an iframe?

I have a website that uses IFrame in a page that loads other pages based on server side logic. So, if I do a View source, I would see something like this:

<iframe src="DeterminedOnServerSide.aspx" id="myFrame"&g开发者_如何学编程t;
</iframe>

My question is - Is there any way, an attacker can change the src attribute to point other users to a malicious website considering that the src is determined on the server side?

Yes or no. You have not specified how "DeterminedOnServerSide.aspx" is determined. If your code for this consists of DeterminedOnServerSide = Server.Request["frame"] then it can clearly be 'hacked'. If you use a method that ensures only valid urls are chosen, then it is not vulnerable.

No, not unless they've compromised your server and can access and modify those source files. And if that's the case, changing of the 'src' attribute in the iframe is the least of your worries.

Yes. A XSS attack has the capability of changing the src of an iFrame.

Check it out: http://research.zscaler.com/2009/12/xss-embedded-iframes.html

The page you "include" using the IFRAME can navigate to a new page, changing the source.

Any user of the site can change the src value of the IFrame, using Developer tools like Firebug and IE Developer Tools

Any sucsessful man in the middle attack can change all your html source including the src attribute. If the attacker is in control of a proxy or network between your customer and your server they can change any of your html including the src attribute.

Any sucsessful hack into your server can change all you sourcecode and change the attribute.

What Hacker are you thinking of? you should only iframe to people/sites you trust, as this is a common way for cross site scripting attacks.

The only ways to change the src attribute of your iframe (or anything in your website) are:

1. The webpage which load the iframe has an XSS vulnerability and the attacker use the DOM to change it.
2. He (or she) get access to your source code. Then the change of a iframe attribute is your less important concern ;-)