Cross Frame Scripting commonly referred to as CFX closely related to XSS or Cross Site Scripting is a
vulnerability that affects websites that use frames within their web pages. Although frames are in general
frowned upon in the web development circle, they are still used due to complexities and costs when upgrading
old websites to new technologies or structures. Using this method of attack, the user can take control of the
parent frame from an internal frame, thus allowing a hacker to display their own information inside the
targeted website. Using this method a hacker can simulate login pages or website inventory. This bug is
browser based and only exists on older browsers such as Internet Explorer 6 which still holds a good market
share in the browser war.
iFrames that are inserted without the availablity of a parent iFrame are therefore not cross framed but are injected and would fall under the category Cross Site Script or XSS
WebSafe will test for Cross Frame Scripting:
By testing whether frames exist or not is the first area tested. If frames do exist, then
CFX placed events are tested and evaluated.