Tuesday, March 15, 2016

Cross Frame Scripting Attack


Cross Frame Scripting Attack is an attack in which the attacker exploits security vulnerabilities of a browser and tricks a user to navigate a webpage that the attacker controls. And afterwards, the attacker uses HTML Frames and JavaScript to steal sensitive data of the user.





Security vulnerabilities used in Cross Frame Scripting Attack


As per standard security model of a browser, if a user opens several webpages, one webpage of the user can use JavaScript to access contents of other webpages which are opened using the same browser, in different windows or different frames, provided the webpages are opened in same server or domain.


But, some web browsers have certain security vulnerabilities which allow an attacker to access contents of other webpages of a user, even though the webpages are opened using different server or domain. As a result, if the user types login credentials in one of his webpages, the attacker can steal those by loading a third-party page in an HTML Frame and then by using JavaScript.


How is Cross Frame Scripting Attack perpetrated

Cross Frame Scripting Attack can be perpetrated in a number of different ways :


Example 1 :

Attacker first creates a webpage in his own website and in that webpage, he uses an HTML Frame to display the login page of a well-known website.

The attacker may use some tricks like hiding the frame border or expanding the frame to cover the whole page to convince the innocent user that he is opening a webpage of the well-known website.

If the victim does not understand the attacker's trick, he may type ogin credentials in the webpage. And, the attacker uses JavaScript to notify events on whatever the user types in the webpage.

As per standard web browser security model, the attacker should not have been notified about whatever the user types in a webpage opened in his computer, but the security vulnerabilities discussed above may make that possible.


Example 2 :

In this attack, the attacker creates a webpage in his website and includes a hidden iframe in that webpage. The iframe may open the login webpage of a well-known website and use Cross Site Scripting or XSS vulnerabilities of the well-known website to inject malicious script in that webpage.

If the victim does not understand the trickery of the attacker and enters login credentials in the webpage, the attacker can use JavaScript to steal the cookie that is placed in the victim's computer after authentication. And, exploit that to impersonate the victim and steal his sensitive data.


Example 3 :

In this attack, the attacker creates a webpage in his website and includes a malicious link in that webpage. Then he uses some trickery to convince the victim to click on the link. On clicking on the link, a malicious script runs which uses Cross Site Scripting vulnerabilities of the well-known website and injects a iframe into that webpage.

If the victim now enters login credentials in the well-known website, the attacker can use JavaScript to steal the authentication cookie of the victim.



Countermeasures of Cross Frame Scripting Attack

Always update your browser with updated security patches. This reduces the security vulnerabilities present in the web browser, reducing the possibility of this attack. In fact, it is always a good to update commonly used software including Operating Systems and web browsers with recent security patches. In most of the cyber attacks, attackers exploit security vulnerabilities of commonly used software. So, more updated the software used, the better it is.


So, beware of various security vulnerabilities, so that you can protect your systems and data in a better way. And, stay safe, stay secured.




No comments:

Post a Comment