Hacking 🔥 Bypassing X-Frame-Options with fetchLater() API – A Silent Post-Exploitation Trick

[dEEpEst]

Bypassing X-Frame-Options with fetchLater() API – A Silent Post-Exploitation Trick

Created for Hack Tools Dark Community


If your target sets `X-Frame-Options: DENY`, you can’t embed their site in an iframe — killing off clickjacking and similar abuse using authenticated session context. However, @slonser_ highlighted a lesser-known trick: exploiting the fetchLater() API for delayed request execution.

What is fetchLater()?
The `fetchLater()` API allows you to schedule HTTP requests that are sent after the page is closed or the user navigates away. If the user is authenticated, their session will still be active — making this ideal for stealthy post-exploitation.

Example Code

var req = new Request("/change_rights", {
  method: "POST",
  body: JSON.stringify({username: "victim", rights: "admin"}),
  credentials: "include"
})

const minute = 60000
let arr = [minute, minute * 60, minute * 60 * 24]

for (let timeout of arr)
  fetchLater(req, {activateAfter: timeout})

How it works
- `fetchLater()` schedules the request for future execution.
- `credentials: "include"` ensures the victim's session cookies are sent.
- Even if the page is unloaded, the browser **will still send** the requests in the background.

Why it's dangerous
This allows attackers to:
✔ Abuse authenticated sessions silently
✔ Escalate privileges or trigger actions out of view
✔ Bypass iframe protections like XFO (`DENY` or `SAMEORIGIN`)

🛡 Blue Team Notes
- Implement server-side CSRF protection — not just client-side.
- Monitor for unexpected `fetchLater()` activity.
- Log POST requests made long after session page load.
- Set very short session inactivity timeouts if feasible.

Join the discussion:
Have you seen `fetchLater()` in the wild? Do you block it in your CSP? Drop your thoughts below — let's dig into the future of deferred post-exploitation!

— Stay stealthy, stay sharp —