Dofactory.com
Dofactory.com
 Back to list
Views:   17.9K
Replies:  1
Archived

Security and Cross Frame Scripting

Can somebody explain how I should implement Cross Frame Scripting Security for my web pages to provide more security?
Thanks in advance.
Sudhakar Sabbi, Apr 15, 2011
Reply 1
XFS is a vulnerability that affects web application that use frames in their web pages.    Basically frames allow web pages to present the web content in different sections of the browser window. They seem to be very handy in many situations, but the fact that the frame loads any pages it references, this could be easily hacked and the attacker may make your frame point to a URL of his own with may have malicious content...

Rather than repeating what's already documented in great detail, I would like to point your attention to  OWASP website at

https://www.owasp.org/index.php/Cross_Frame_Scripting
http://blog.securestate.com/post/2010/08/12/XFS-101-Cross-Frame-Scripting-Explained.aspx
http://www.subhashdasyam.com/2011/04/cross-frame-scripting-advanced-xss.html

The general mitigation of XFS vulnerabilities is to validate malicious inputs such as URL parameter in a GET request that can be injected with javascript into a frame and executed on the user's browser within the context of the main page.


In case your app is using frames do take some precaution against this. One of primary check you can do is to add the following JS at the top of your web page.  The code is an extract and may not work as it is...

if (top == self) }
    document.documentElement.style.display = 'block';
}
else {
  top.location = self.location;
}

When the above scripted is executed(on each page load), the browser will check if the page is framed and set it to become the top frame hereby causing the browser to render the full windows without the frame.

But note the best way would be to avoid using frames, but that's not always possible.
Hope this helps.
Rajesh Pillai, Apr 16, 2011
Stay Inspired!
Join other developers and designers who have already signed up for our mailing list.
Terms     Privacy     Cookies       Do Not Sell       Licensing      
Made with    in Austin, Texas.  - vsn 44.0.0
© Data & Object Factory, LLC.