Cross Frame Scripting (XFS) Cheat Sheet, Attack Examples & Protection

Cross-Frame Scripting (XFS), also known as iFrame Injections, are basically targeted browser-based phishing attacks. These must not be confused with Cross-Site Scripting (XSS) attacks, which also allow the execution of malicious JavaScript scripts. XFS works in a similar manner, but enables only the sniffing of user input for data harvesting.

According to recent research by Singaporean security expert Wang Jing, over 99% of the topic links and domains are vulnerable to XFS and XSS attacks.

What is Cross Frame Scripting (XFS)?

Cross Frame Scripting attacks take place when the victim is tricked into accessing a malicious web page via his browser. The malicious attacker, who has control of this page, loads a third-party page in the HTML frame. A malicious JavaScript keylogger then records the victim’s keystrokes and sends them to the attacker’s server.


Cross-Frame Scripting attacks, also known as iFrame Injections, are more dangerous than the traditional phishing techniques because the iFrame used is completely identical to the target website used to trick the victim. While these attacks require the malicious attacker to exploit very specific browser bugs, their effectiveness is very high.

XFS attack examples

To exploit the IE bug which leaks keyboard events across framesets, an attacker may create and control a web page at, while including a visible frame displaying the login page for on it. The attacker can hide the frame’s borders and expand the frame to cover the entire page, so that it looks to the browser user like he or she is actually visiting The attacker registers some JavaScript in the main page which listens for all key events on the page.

Normally, this listener would be notified of events only from the main page. But because of the browser bug, this listener is notified also of events from the framed page. So every key press the browser user makes in the frame, while trying to log into, can be captured by the attacker, and reported back to

Cross Frame Scripting

What are the damages caused by XFS Attacks?

Possible damages of Cross Frame Scripting attacks can involve:

  • Data and identity theft
  • Gaining control of the victim’s computer remotely
  • Installation of spyware on computers and networks for future sniffing
  • Initiation of Denial of Service (DOS) attacks on other websites
  • Using the visible frame to execute clickjacking

How to prevent XFS Attacks?

There is not much the normal user (potential victim) can do to besides take the usual measures to avoid phishing attacks. These steps include:

  • Avoiding malicious looking links and websites.
  • Not letting the browser “remember” passwords and login links.
  • Sacrificing performance for security by blocking all tracking cookies.
  • Keeping personal information and dates in secure encrypted storage.
  • Using strong passwords and changing them on a frequent basis.

Frame Busting is the main strategy developers can adopt in order to combat XFS attacks. Integration of this solution, which is basically JavaScript code, prevents the use of websites as malicious iFrame traps. The most common Frame Busting code is made up of 2 basic elements – a conditional statement and a counter action. It looks like this:

if (top != self) {top.location = self.location;}

Preventing XFS attacks with CxSAST

CxSAST detects and warns about all pages that can be displayed in an iFrame and do not contain XFS protection solutions in place.