XFS is a vulnerability that affects web application that use frames in their web pages. Basically frames allow web pages to present the web content in different sections of the browser window. They seem to be very handy in many situations, but the fact that the frame loads any pages it references, this could be easily hacked and the attacker may make your frame point to a URL of his own with may have malicious content...
Rather than repeating what's already documented in great detail, I would like to point your attention to OWASP website at
In case your app is using frames do take some precaution against this. One of primary check you can do is to add the following JS at the top of your web page. The code is an extract and may not work as it is...
if (top == self) }
document.documentElement.style.display = 'block';
top.location = self.location;
When the above scripted is executed(on each page load), the browser will check if the page is framed and set it to become the top frame hereby causing the browser to render the full windows without the frame.
But note the best way would be to avoid using frames, but that's not always possible.
Hope this helps.
Rajesh Pillai, Apr 16, 2011