Framing attacks and Cross-Frame Scripting (XFS) 

Framing Attacks and Cross-frame scripting explained

May 30, 2022

6 min read

Borislav Kiprin

In this article:

In this blog post, you can learn more about frame injection attacks, such as Cross-Frame Scripting (XFS), how they work, and what you can do to prevent them.

What are frame injection attacks?

As a general category, frame injection attacks, sometimes also called framing attacks, denote the strategy of injecting frames into websites for various malicious purposes. These include using the frames to fool users into revealing their credentials, running a script on a user’s browser, redirecting users to malicious websites to perform a phishing attack, etc. 

Frame injection attacks are listed under the injection category of the OWASP Top 10 2021 list though compared to other types of injection attacks, they pose a lesser threat. 

However, given the right circumstances, a frame injection can also execute a clickjacking attack, cross-site scripting (XSS), cross-site request forgery (CSRF), frame hijacking, etc. 

What is cross-frame scripting?

Cross-frame scripting (XFS), also known as an iframe injection, is one instance of a framing attack. It eavesdrops on users’ actions by loading a legitimate third-party page in an iframe that runs a malicious script. This is then used to leak keyboard events (i.e., keystrokes) and other browser events and capture user input such as login credentials. I.e., it is a form of phishing through

Read more

Explore the site

More from the blog

Latest News