CAPEC-587 Metadata
Likelihood of Attack
Medium
Typical Severity
High
Overview
Summary
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
Prerequisites
The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains.
Potential Solutions / Mitigations
Avoid clicking on untrusted links. Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-103 | An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system. |
Taxonomy Mappings
Taxonomy: OWASP Attacks
| Entry ID | Entry Name |
|---|---|
| Link | Cross Frame Scripting |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.