by a URL parameter value.

(http://foo.example/page?frame_src=http://foo.examp

le/file.html). An attacker may be able to replace the

 frame_src  parameter value with

 frame_src=http://attacker.example/spoof.html . When

the resulting web page is served, the browser location bar visibly

remains under the user expected domain (foo.example), but the

foreign data (attacker.example) is shrouded by legitimate

content.

Specially crafted links can be sent to a user via e mail, instant

messages, left on bulletin board postings, or forced upon users by a

Cross site Scripting attack. If an attacker gets a user to visit a web

page designated by their malicious URL, the user will believe he is

viewing authentic content from one location when he is not. Users will

implicitly trust the spoofed content since the browser location bar

displays http://foo.example, when in fact the underlying HTML

frame is referencing http://attacker.example.

This attack exploits the trust relationship established between the

user and the web site.  The technique has been used to create fake

web pages including login forms, defacements, false press releases,

etc.

Example

Creating a spoofed press release. Lets say a web site uses

dynamically created HTML frames for their press release web pages.

A user would visit a link such as

(http://foo.example/pr?pg=http://foo.example/pr/010

12003.html). The resulting web page HTML would be:

Code Snippet:

22

Copyright 2004, Web Application Security Consortium. All rights reserved.