XFS 101: Cross-Frame Scripting Explained

Cross-Frame Scripting (XFS) is an attack related to cross-site scripting (XSS) and is commonly misunderstood from both offensive and defensive standpoints. This blog’s aim is to clear up confusion regarding what it means, what vulnerability it is exploiting, and a survey of suggested fixes available.

XFS exploits a bug in specific browsers that allows a parent frame to be exposed to events in an embedded iFrame inside of it. The exposure is limited to events only, and does not give full JavaScript cross domain access. Several examples exist illustrating the sniffing of keystrokes from an embedded iFrame (usually a login page) to an attacker controlled resource such as a remote Web server using an XML HttpRequest (XHR) surreptitiously in the background. This effectively provides a means to silently steal credentials being typed into the embedded iFrame by the victim. This attack in no way allows full JavaScript execution despite being similar to XSS.

Effectively, a successful XFS attack provides only one advantage over a very well crafted phishing site.That advantage is that the behavior of the iFrame is EXACTLY that of the target site, since it IS the target site. The URL still is not that of the original site, and does not provide any additional cloaking mechanisms. Because this attack exploits a browser specific bug, (known to work in IE), attackers most likely will have better luck using standard phishing schemes.

Frame busting is the act of preventing another site from including your site in an iFrame on their site. This is commonly done via JavaScript with code such as:

Gustav Rydstedt of Stanford along with three others did some research about frame busting and came to the conclusion that most popular ways of attempting to prevent the attack fail in one way or another. Their suggested code to use (best available for now) is:

Their research is available in an OWASP presentation at http://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf. Their conclusions were that all frame busting code out there can be broken. Defenses to the attack are in the works, but are not widely adopted. Furthermore, their research showed that very few mobile sites utilize frame busting techniques. In all, preventative measures should be employed as part of your defense in depth approach to securing your Web applications, but not relied upon solely.

Related Reading:
http://www.owasp.org/index.php/Cross_Frame_Scripting
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=77
http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx
http://www.mozilla.org/projects/security/components/jssec.html#sameorigin
http://www.owasp.org/index.php/Cross_Frame_Scripting
http://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf