Cross-frame scripting illustrationĬross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iFrame that loads a legitimate page in an effort to steal data from an unsuspecting user. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. This attack is usually only successful when combined with social engineering. Scenario 1: Other site loads your site in iFrame Let’s continue to break down iFrame security cases for each scenario. I assume that you now know the techniques to prevent iFrame from security risks. Checkout to this CSP: sandbox docs for better understanding. CSP sandbox: another option similar to iFrame sandbox attribute, but this will be applied to all iFrames in a site.Checkout to this Iframe sandbox attribute docs for better understanding. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. IFrame sandbox attribute: Applies extra restrictions to the content in the frame.Checkout to this CSP: frame-src docs for better understanding. CSP frame-src: specifies valid sources for nested browsing contexts loading using elements such as and.Checkout to this CSP: frame-ancestors docs for better understanding. CSP frame-ancestors: specifies valid parents that may embed a page using, ,, , or.Checkout to this X-Frame-Options docs for better understanding.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |