Difference between revisions of "Cross Frame Scripting"
|Line 39:||Line 39:|
Revision as of 13:31, 12 August 2008
Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Thanks to the XFS attacks he's able to inject his own content to a log in form, which purpose is to authorize the valid user to his/her bank or auction account.
The attacker has found a website, which allows for variable manipulation. In addition variables are sended using GET or POST methods but they are not properly validated, e.g.:
cat greetz.php <?php print "Hello! Welcome to Hell!"; print $_GET['greetings']; ?>
If the attacker would write the following URI:
then the successful code injection attack would be conducted.
Another example is a simple Java Script nesting:
The attacker may merge the above examples with an appropriate frame attributes. After that it should be easier to adjust injected code to the original layout of the page, which is prone to a Cross Frame Scripting. This attack can also be successfully used to bypass limitations in e.g. E-kiosk, which provides Internet for a money or just to its extra functionality/areas.
Use whitelists and determine (whenever it's possible) the expected input data format.