CAPEC-587: Cross Frame Scripting (XFS)
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
前提条件
- The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains.
后果影响
影响范围: Confidentiality
技术影响: Read Data
说明: Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.
缓解措施
Avoid clicking on untrusted links.
Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.
示例实例
An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| OWASP Attacks | - | Cross Frame Scripting |