An attack where the attacker exploits bugs in the SOP of the browser to steal data from a frame with a different origin.
Questions tagged [cross-frame-scripting]
12 questions
8
votes
2 answers
Is "Math.random" the same as "crypto.getRandomValues" (JavaScript security)
This question may be a little off-topic, but is Math.random the same as crypto.getRandomValues? (JavaScript)
Here's an example:
Math.random(); // 0.11918419514323941
self.crypto.getRandomValues(new Uint32Array(10))[0]; // 2798055700
(Using "self"…
Parking Master
- 241
- 1
- 9
6
votes
3 answers
How to avoid the cross-frame scripting attack over core php we application
I have developed one web application that is in core-php as per the client's requirement. My client conducted a vulnerability test, and found a Cross-Frame Scripting as a vulnerability at hard level.
What can be done in this case to avoid it? Is…
Shaggie
- 161
- 1
- 1
- 3
4
votes
1 answer
How to create a secure embeddable HTML form?
I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal's payment iframe or Plaid's Link. Many such services exist, and from what I have…
Luciano
- 143
- 2
4
votes
2 answers
Are these four HTTP headers protection against Cross-Frame Scripting enough?
I would like to ask a question what is the best protection against Cross-Frame Scripting.
I have set up my web server to adding these flags into HTTP HEADER:
X-Same-Domain: 1
X-Content-Type-Options: nosniff
X-Frame-Options:…
Jamie
- 41
- 2
3
votes
2 answers
Are these both cross frame scripting attacks?
I've received a recent security review of a website which mentioned it had a cross frame scripting vulnerability. In short, it mentioned that a malicious site could load the page up in an iframe, fooling the user to think the are on the legitimate…
Lawtonfogle
- 981
- 7
- 11
3
votes
1 answer
Can a javascript on parent page log keystrokes inside an iframe?
I am trying to analyze the possibility of accessing keystrokes from an iframe using a javascript running on the parent page. The potential attack which I am looking to verify is Cross Frame Scripting.
From the OWASP page, I read that the listener in…
hax
- 3,851
- 1
- 16
- 34
3
votes
1 answer
X-Frame-Options Absent but cant load the page in iframe
I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent.
Observation:
When I write an HTML with iframe tag pointing to the URL and save this file locally and open it, I can find the…
one
- 1,781
- 3
- 18
- 45
2
votes
1 answer
Is it okay to only provide clickjacking protection on the login page?
I have a question about Clickjacking.
The question is quite simple. Imagine a login flow like this:
You visit the application login page, eg https://example.com/login.html. There is no Clickjacking protection (i.e. the X-Frame-Options header) on…
Bhuvanesh Kumar
- 21
- 3
1
vote
1 answer
Loading a logged in page in an iframe
Suppose www.youtube.com have no X-Frame-Options set.
Imagine I'm already logged in to YouTube. Now from another web page in the same browser I'm loading YouTube in an iframe, will the browser send all the auth-cookies to the YouTube loaded in the…
3lokh
- 181
- 5
1
vote
1 answer
Can malicious sites use session data from iframes?
Let's say I have logged in to my site Genuine Site. Malicious Site has an iframe embedding Genuine Site. Will the embedded iframe in the Malicious site have access to my login credentials from Genuine Site which I have logged in, in another tab?
The…
Souradeep Nanda
- 227
- 2
- 9
0
votes
1 answer
How does one exploit cross scripting?
In my computer science class, my professor provided the following example...
Normally, a user would provide a link by typing the following in chatroom...
[Example Website](https://example.com)
And receive a output of...
Example…
TrevorKS
- 143
- 4
-1
votes
1 answer
How do configure Apache to resolve 'Missing Cross-Frame Scripting Defence' by app scan
There is an apache server hosting some website written in PHP and is accessible thru internet. How do configure the apache to resolve 'Missing Cross-Frame Scripting Defence' and can 'Missing Cross-Frame Scripting Defence' warning be ignored?
user275517
- 107
- 3