What is the Cross Frame Scripting attack?
The Cross Frame Scripting attack is an attack in which the attacker exploits the security vulnerabilities of a browser and tricks a user into navigating a webpage that the attacker controls. Afterward, the attacker uses HTML iFrames and JavaScript to steal sensitive data of the user.
The security vulnerabilities used in the Cross Frame Scripting attack
As per the standard security model of a browser, if a user opens several web pages, one webpage of the user cannot use JavaScript to access the contents of other web pages. The other web pages may be opened using the same browser, in different windows, or in different frames. If the web pages are opened from the same server or the same domain, only then JavaScript can be used to access the contents of the other web pages.
However, some web browsers have certain security vulnerabilities that allow an attacker to access the contents of other webpages of a user. This can happen even though the web pages are opened from different servers or domains. As a result, if the user types login credentials in one of the web pages, the attacker can use JavaScript to steal the credentials by loading a third-party page in an HTML iFrame.
How does the Cross Frame Scripting attack work?
The Cross Frame Scripting attack can be perpetrated in a number of different ways :
Example 1:
An attacker may create a webpage on his own website. On that webpage, the attacker may use an HTML iFrame to display the login page of a well-known website.
The attacker may use some tricks like hiding the frame border or expanding the frame to cover the whole page to convince the innocent user that he is opening a web page of a well-known website.
If the victim does not understand the attacker’s trick, he may type login credentials on the fraudulent webpage. And, the attacker can use JavaScript to notify events on whatever the user types in the web page.
As per the standard web browser security model, the attacker should not get notified about whatever the user types on a web page. However, the security vulnerabilities discussed above may make that possible.
Example 2:
In this attack, the attacker creates a web page on his website and includes a hidden iframe on that web page. The iframe may open the login web page of a well-known website. The attackers can use Cross-Site Scripting or XSS vulnerabilities of the well-known website to inject malicious scripts on that web page.
If the victim does not understand the trickery of the attacker and enters login credentials on the …
0 Comments