Cross Frame Scripting - Revision history

Andrew Smith: Clarify "Description" section as original was confusing.

2016-06-22T19:39:04Z

Clarify "Description" section as original was confusing.

Michael Brooks at 17:13, 5 November 2013

2013-11-05T17:13:40Z

Michael Brooks at 17:11, 5 November 2013

2013-11-05T17:11:00Z

Justin Ludwig: re-focused article on cross-frame scripting instead of cross-site scripting; re-formatted with latest attack template

2010-01-08T21:44:44Z

re-focused article on cross-frame scripting instead of cross-site scripting; re-formatted with latest attack template

Show changes

KirstenS: /* Related Attacks */

2009-04-08T00:09:10Z

‎Related Attacks

KirstenS: /* Related Attacks */

2008-09-18T13:01:53Z

‎Related Attacks

KirstenS: /* Related Attacks */

2008-08-12T18:31:54Z

‎Related Attacks

Rezos: /* Categories */

2007-11-04T22:41:44Z

‎Categories

Rezos: New page: {{Template:Attack}} ==Description== Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Th...

2007-11-04T21:28:06Z

New page: {{Template:Attack}} ==Description== Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Th...

New page

{{Template:Attack}}

==Description==
Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Thanks to the XFS attacks he's able to inject his own content to a log in form, which purpose is to authorize the valid user to his/her bank or auction account.

==Examples ==
The attacker has found a website, which allows for variable manipulation.
In addition variables are sended using GET or POST methods but they are not properly validated, e.g.:
<pre>
cat greetz.php
<?php
print "Hello! Welcome to Hell!";
print $_GET['greetings'];
?>
</pre>
If the attacker would write the following URI:
<pre>
/greetz.php?greetings=<iframe src="http://my.evilsites.com/cookie_monster.php"></iframe>;
</pre>
then the successful code injection attack would be conducted.

Another example is a simple Java Script nesting:
<pre>
/greetz.php?greetings=<iframesrc=javascript:alert('0wn3d!');></iframe>
</pre>

The attacker may merge the above examples with an appropriate frame attributes. After that it should be easier to adjust injected code
to the original layout of the page, which is prone to a Cross Frame Scripting. This attack can also be successfully used to bypass
limitations in e.g. E-kiosk, which provides Internet for a money or just to its extra functionality/areas.

References:
* http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf
* http://ha.ckers.org/xss.html

==Related Threats==

*[[:Category:Client-side_Attacks]]

==Related Attacks==

*[[Cross-site-scripting]]
*[[Alternate_XSS_Syntax]]

==Related Vulnerabilities==

*[[:Category:Input_validation_vulnerability]]

==Related Countermeasures==

*[[HTML Entity Encoding]]

Use whitelists and determine (whenever it's possible) the expected
input data format.

==Categories==

[[:Category:Injection]]

@@ Line 3: / Line 3: @@
 ==Description==
-Cross-Frame Scripting (XFS) is a method of exploiting [[Cross-site Scripting (XSS)]]. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
+Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker's page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.
 ==Risk Factors==
-The standard browser security model allows javascript from one web page to access the content of other pages that have been loaded in different browser windows or frames -- as long as those other pages have been loaded from the same-origin server or domain. It does _not_ allow access to pages that have been loaded from different servers or domains (see MSDN article [http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx About Cross-Frame Scripting and Security]). However, specific bugs in this security model exist in specific browsers, allowing an attacker to access some data in pages loaded from different servers or domains. The most well-known such bug affects IE, which leaks keyboard events across HTML framesets (see iDefense Labs advisory [http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=77 Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass]). This bug could allow, for example, an attacker to steal the login credentials of a browser user as he or she tries to type them into the login form of a third-party web page.
+The standard browser security model allows JavaScript from one web page to access the content of other pages that have been loaded in different browser windows or frames as long as those other pages have been loaded from the same-origin server or domain. It does not allow access to pages that have been loaded from different servers or domains (see MSDN article [http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx About Cross-Frame Scripting and Security]). However, specific bugs in this security model exist in specific browsers, allowing an attacker to access some data in pages loaded from different servers or domains. The most well-known such bug affects IE, which leaks keyboard events across HTML framesets (see iDefense Labs advisory [http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=77 Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass]). This bug could allow, for example, an attacker to steal the login credentials of a browser user as he or she tries to type them into the login form of a third-party web page.
 ==Examples==

@@ Line 3: / Line 3: @@
 ==Description==
-Cross-Frame Scripting (XFS) describes a way that [[Cross-site Scripting (XSS)]] can happen. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
+Cross-Frame Scripting (XFS) is a method of exploiting [[Cross-site Scripting (XSS)]]. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
 XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a [[Cross Site Scripting Flaw]] to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.

@@ Line 3: / Line 3: @@
 ==Description==
-Cross-Frame Scripting (XFS) is client-side attack related to [[Cross-site Scripting (XSS)]]. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
+Cross-Frame Scripting (XFS) describes a way that [[Cross-site Scripting (XSS)]] can happen. In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
 XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a [[Cross Site Scripting Flaw]] to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.

← Older revision		Revision as of 00:09, 8 April 2009
Line 40:		Line 40:

	*[[Cross-site Scripting (XSS)]]		*[[Cross-site Scripting (XSS)]]
−	*[[Alternate_XSS_Syntax]]

	==Related Vulnerabilities==		==Related Vulnerabilities==

@@ Line 39: / Line 39: @@
 ==Related Attacks==
-*[[Cross-site scripting]]
+*[[Cross-site Scripting (XSS)]]
 *[[Alternate_XSS_Syntax]]

← Older revision		Revision as of 22:41, 4 November 2007
Line 55:		Line 55:
	==Categories==		==Categories==

−	[[:Category:Injection]]	+	[[Category:Injection]]