Cross-Frame Scripting (XFS)

This is a series of Security related articles I wrote. This article is the first one.

• Top 10 Web Application Security Risks 
• SQL Injection 
• Server-Side Request Forgery (SSRF)
  • Example of Server-Side Request Forgery
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
  • Example of Cross-Site Scripting, Reflected
  • Example of Cross-Site Scripting, DOM
• Cross-Frame Scripting (XFS) --- this article
  • Example of Cross-Frame Scripting 
• Comparisons among SSRF, CSRF, XSS and XFS 
• CORS (1), Consume .NET Core Web API By MVC in Same Origin

Introduction

Cross-Frame Scripting (XFS), also known as iFrame Injection, is an attack technique that uses malicious JavaScript to access user data from a legitimate third-party page loaded into an HTML iframe. Combined with social engineering, this can allow an attacker to intercept keyboard events. 

This is the structure of this article,

• Introduction
• A - What is Cross Frame Scripting (XFS)
• B - How does XFS Work
• C - How Cross-Frame Scripting attacks are possible
• D - Impacts of a XFS Vulnerability
• E - How to Protect Your Web Application Against XFS

A - What is Cross Frame Scripting (XFS)

Cross Frame Scripting attacks take place when the victim is tricked into accessing a malicious web page via his browser. The malicious attacker, who has control of this page, loads a third-party page in the HTML frame. A malicious JavaScript keylogger then records the victim’s keystrokes and sends them to the attacker’s server.

The points are that attacher can

• Let victim be tricked into accessing a malicious web page via his browser;
• Load  a third-party page in the HTML frame.
• Steal the victim's data through recording the victim's keystrokes

B - How does XFS Work

A cross-frame scripting attack starts by embedding a valid webpage into an iframe on a malicious page and tricking the user into visiting a site that the attacker controls, usually as part of a phishing attack. JavaScript is set up on the attacker’s server to listen for user-initiated events, usually keypresses, and the attacker can expand the iframe to cover the entire page for maximum realism.

In combination with a suitable browser bug, this may allow the attacker to obtain login credentials and other sensitive information from the unsuspecting user who is interacting with the framed legitimate site as usual. From this point of view, XFS can be considered a variety of clickjacking.

C - How Cross-Frame Scripting attacks are possible

In a typical XFS attack, once the browser user visits the web page controlled by the attacker, the following happens:

1. The legitimate page (usually a login page) is opened in an HTML IFRAME element.
2. The IFRAME element is maximized to fill the entire page and the frame’s borders are removed so that the unsuspecting user thinks that they are visiting the legitimate site.
3. When the victim attempts to log in to the legitimate website or web application, malicious JavaScript outside the IFRAME captures keyboard events (keystrokes) and sends them to the attacker.

In most browsers, this is not possible due to the Same-Origin Policy. This policy, which is standard in all modern browsers, prevents sharing of information via JavaScript between sites with different origins. Since the attacker-controlled page and the legitimate website or web application have different origins (different servers), it should not be possible for JavaScript on the attacker’s server to have access to key events from the IFRAME element that contains the third-party page.

D - Impacts of a XFS Vulnerability

If successful, an XFS attack may extract key events and other browser events that provide information about the browser user’s activity on the framed page. Login pages are obvious targets for extracting credentials, but other pages can also be targeted to steal personal details and other confidential information. By manipulating the visible frame, attackers might also use XFS to perform clickjacking – or worse.

E - How to Protect Your Web Application Against XFS

Since Cross-Frame Scripting vulnerabilities appear in web browsers, web application developers can only prevent frame embedding. There are three primary methods of protection. Since all of them are also used to protect against clickjacking, you can read all about them in our article How to Defend Against Clickjacking Attacks:

• Framebusting: The legitimate website owner only needs to modify the web page HTML code.
• The Content-Security-Policy: frame-ancestors header: The legitimate website owner must modify web server configuration and have this header automatically included with every page.
• The X-Frame-Options header: The legitimate website owner must modify web server configuration and have this header automatically included with every page.

Reference

• What Is Cross-Frame Scripting (XFS) | Acunetix
• Cross Frame Scripting Software Attack | OWASP Foundation
• Cross Frame Scripting (XFS) - Click jacking vulnerability and Websphere Application Server applications. (ibm.com)
• Cross Frame Scripting (XFS) Cheat Sheet, Attack Examples & Protection --- checkmarx.com
• OWASP_Busting_Frame_Busting