CAPEC-587
Cross Frame Scripting (XFS)
Description
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
Prerequisites
The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains.
Mitigations
Avoid clicking on untrusted links.
Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.