Cross Frame Scripting


Description

The application is vulnerable to cross frame scripting. The application can be loaded into a frame by a third party host, making it vulnerable to attacks that can trick users into revealing sensitive data or into taking an unwanted action. Although the standard browser security model prevents JavaScript from accessing the content of pages loaded from a different origin, various vulnerabilities allow attacks against pages loaded into a child frame. 

Impact

There are a number of attacks against the cross site framing vulnerability that can be used to steal sensitive information or cause unwanted actions on behalf of users. Older versions of IE contain a bug that leaks keystrokes across HTML framesets allowing attackers to eavesdrop on users as they type sensitive information such as passwords. Sites loaded into child frames are also vulnerable to clickjacking attacks that can be used to trick users into completing an unwanted action in an application. An attacker can also use an XSS vulnerability in a framed site to carry out attacks using JavaScript. In addition, there are timing attacks such as the Pixel Perfect that yield cross origin information leakage.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply