Another type of attack that we haven’t talked about yet is cross-frame scripting. A cross-frame scripting attack is where an attacker will take a page of your site and embed it in an iframe. Some simple css can then be put in place to make it look like the site is actually yours rather than looking like an iframe. This might seem pretty harmless, but the hacker could include some malicious scripts to do things like capture the keypresses and send them to a web service on their real site. Some really good information can be found at OWASP.
Modern day, this attack is a bit trickier to pull off as cross-domain communication is generally blocked and it takes quite a bit of work to get around this. That being said, it can be done so you should treat this as a real threat. This also becomes a bigger insider threat as I could write an app that includes another dev’s site and then steal user credentials that way without having to worry about cross-domain issues.
So, how about the defense. Ready for this?
<META http-equiv="X-Frame-Options" content="Deny" />
That’s it! Just put that html in the header of your application and it will prevent your site from being rendered in an iframe!