Cross Frame Scripting (XFS) Cheat Sheet, Attack Examples & Protection

Cross-Frame Scripting (XFS), also known as iFrame Injections, are basically targeted browser-based phishing attacks. These must not be confused with Cross-Site Scripting (XSS) attacks, which also allow the execution of malicious JavaScript scripts. XFS works in a similar manner, but enables only the sniffing of user input for data harvesting.

According to recent research by Singaporean security expert Wang Jing, over 99% of the About.com topic links and domains are vulnerable to XFS and XSS attacks.

What is Cross Frame Scripting (XFS)?

Cross Frame Scripting attacks take place when the victim is tricked into accessing a malicious web page via his browser. The malicious attacker, who has control of this page, loads a third-party page in the HTML frame. A malicious JavaScript keylogger then records the victim’s keystrokes and sends them to the attacker’s server.

 

XFS

 

Cross-Frame Scripting attacks, also known as iFrame Injections, are more dangerous than the traditional phishing techniques because the iFrame used is completely identical to the target website used to trick the victim. While these attacks require the malicious attacker to exploit very specific browser bugs, their effectiveness is very high.

 

XFS attack examples

To exploit the IE bug which leaks keyboard events across framesets, an attacker may create and control a web page at evil.com, while including a visible frame displaying the login page for example.com on it. The attacker can hide the frame’s borders and expand the frame to cover the entire page, so that it looks to the browser user like he or she is actually visiting example.com. The attacker registers some JavaScript in the main evil.com page which listens for all key events on the page.

Normally, this listener would be notified of events only from the main evil.com page. But because of the browser bug, this listener is notified also of events from the framed example.com page. So every key press the browser user makes in the example.com frame, while trying to log into example.com, can be captured by the attacker, and reported back to evil.com:

 

Cross Frame Scripting

 

What are the damages caused by XFS Attacks?

Possible damages of Cross Frame Scripting attacks can involve:

 

  • Data and identity theft
  • Gaining control of the victim’s computer remotely
  • Installation of spyware on computers and networks for future sniffing
  • Initiation of Denial of Service (DOS) attacks on other websites
  • Using the visible frame to execute clickjacking

How to prevent XFS Attacks?

There is not much the normal user (potential victim) can do to besides take the usual measures to avoid phishing attacks. These steps include:

 

  • Avoiding malicious looking links and websites.
  • Not letting the browser “remember” passwords and login links.
  • Sacrificing performance for security by blocking all tracking cookies.
  • Keeping personal information and dates in secure encrypted storage.
  • Using strong passwords and changing them on a frequent basis.

 

Frame Busting is the main strategy developers can adopt in order to combat XFS attacks. Integration of this solution, which is basically JavaScript code, prevents the use of websites as malicious iFrame traps. The most common Frame Busting code is made up of 2 basic elements – a conditional statement and a counter action. It looks like this:

if (top != self) {top.location = self.location;}

 

Preventing XFS attacks with CxSAST

CxSAST detects and warns about all pages that can be displayed in an iFrame and do not contain XFS protection solutions in place.

 

Back to Vulnerability Knowledge Base

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.