XSS: Identifying & Blocking Cross Frame Scripting

TL;DR

Cross frame scripting (CFS) is a type of cross-site scripting (cyber security) attack that exploits vulnerabilities in how websites handle iframes. It’s less common than traditional XSS, but still dangerous. This guide explains how to identify potential CFS attacks and implement measures to block them.

Understanding Cross Frame Scripting

CFS relies on tricking a website into loading content from a malicious source within an iframe. If the website doesn’t properly restrict what that iframe can do, the attacker can potentially access sensitive data or perform actions as if they were the user.

Identifying Potential CFS Attacks

1. Review Website Code for Iframe Usage: Search your website’s source code for <iframe> tags. Pay close attention to where these iframes are used and what URLs they load.
   • Look for dynamic iframe sources – those that change based on user input or external data.
   • Check if the src attribute is constructed using variables or user-supplied values.
2. Examine HTTP Headers: Use your browser’s developer tools (usually by pressing F12) to inspect the response headers when loading pages with iframes.
   • Specifically, look for the X-Frame-Options header. This is a key defence against CFS.
   • If the header is missing or incorrectly configured, your website may be vulnerable.
3. Content Security Policy (CSP) Analysis: Check if your website uses CSP and how it handles frames.
   • A strong CSP can restrict which domains content can be loaded from, including within iframes.
   • Review the frame-ancestors directive in your CSP to see which origins are allowed to embed your site in an iframe.

Blocking Cross Frame Scripting Attacks

1. Implement the X-Frame-Options Header: This is the most common and effective way to prevent CFS.
   • DENY: Prevents any domain from framing your website.
   • SAMEORIGIN: Allows only pages from the same origin (domain, protocol, and port) to frame your website. This is generally recommended if you need iframes for internal functionality.
   • ALLOW-FROM uri: (Deprecated but sometimes seen) Specifies a specific domain that’s allowed to frame your site. Avoid this as it’s less secure than SAMEORIGIN and not widely supported.

   You can set this header in your web server configuration (e.g., Apache, Nginx) or through your application code.

   # Example Apache Configuration
   Header always set X-Frame-Options "SAMEORIGIN"

2. Use Content Security Policy (CSP): CSP provides more granular control over resources loaded on your website.
   • The frame-ancestors directive specifically controls which origins can embed your site in an iframe.
   • Set it to allow only trusted domains or use 'none' to block all framing.

   # Example CSP header
   Content-Security-Policy: frame-ancestors 'self';

3. Regularly Scan Your Website: Use automated vulnerability scanners to identify potential CFS vulnerabilities.
   • Many cyber security scanning tools include checks for missing or improperly configured X-Frame-Options and CSP headers.
4. Input Validation & Output Encoding (General XSS Prevention): While not specific to CFS, robust input validation and output encoding are crucial for preventing all types of XSS attacks, including those that might be used in conjunction with frames.

Important Considerations

• Testing: After implementing any changes, thoroughly test your website to ensure it functions as expected and that legitimate iframe usage isn’t broken.
• Browser Compatibility: Ensure the headers you use are supported by the browsers your users rely on. X-Frame-Options has excellent compatibility. CSP support is good but can vary slightly between older browsers.